What is Verified by Visa (VbV)?
Verified by Visa (VbV) was Visa's brand name for its 3D Secure cardholder authentication programme from 2001 until it was rebranded to Visa Secure in 2019. It's the checkout step where you enter your card details and your bank then asks you to confirm the payment — usually through a banking app prompt or a one-time code. Today's VbV flows run on 3D Secure 2, which authenticates most low-risk transactions silently and only challenges the cardholder when something looks off.
Verified by Visa (VbV) is the consumer-facing brand Visa used between 2001 and 2019 for its implementation of the 3D Secure authentication protocol on online card payments. It's been rebranded as Visa Secure, but plenty of merchants, agreements and old checkout pages still call it VbV. Mastercard's equivalent was SecureCode, now Identity Check; Amex's is SafeKey. Behind the brand it's the same idea — when you pay online, your bank gets the chance to confirm it's really you before the transaction is approved.
Verified by Visa, now marketed as Visa Secure, is Visa's wrapper around the 3D Secure protocol. The protocol routes the authentication request through three domains — Visa's network, your bank, and the merchant's payment provider — so the bank can decide whether to approve the payment silently or ask you to verify yourself. Most flows you see in 2026 are running 3D Secure 2 (3DS2), not the original 1.0 spec, which Visa retired for new merchants in October 2022.
Where the name came from, and why it changed
Visa launched VbV in 2001 to bolt an authentication step onto online card payments, which were exploding alongside e-commerce and racking up fraud at rates the card networks couldn't ignore. The pitch to consumers was simple: register a password with your bank, type it in at checkout, and you'd be protected. The pitch to merchants was simpler still — if you implement VbV and the customer authenticates successfully, fraud chargeback liability shifts from you to the issuing bank.
The execution was rough. Customers forgot their VbV passwords constantly, the redirect to the bank's authentication page looked like a phishing attack, and on mobile it was actively bad. Merchants who turned it on watched their conversion rates fall by double digits. By the mid-2010s, the industry had agreed VbV 1.0 was a security upgrade that was costing more in lost sales than it was saving in fraud.
3D Secure 2 fixed most of the problems
The replacement protocol, 3D Secure 2, is what runs under the Visa Secure brand today. Instead of demanding a password from every customer, 3DS2 sends 100-plus data points to the issuing bank — device, location, transaction history, behavioural signals — and lets the bank's risk engine decide. If the data looks normal, the bank approves the payment frictionlessly and the customer never sees a challenge. If something's off, the bank steps up to a challenge, usually via the banking app rather than a separate webpage. Well-tuned merchants run 90%+ of their 3DS2 volume through the frictionless flow.
You'll still see the words "Verified by Visa" on plenty of legacy contracts and merchant statements. The protocol underneath is the modern one — branding catches up slowly.
Liability shift is the reason merchants bother
The commercial draw of VbV/Visa Secure has always been the chargeback liability shift. When a transaction is successfully authenticated, the merchant is protected against "It Wasn't Me" fraud disputes — the issuing bank takes the loss instead. For card-not-present merchants, where chargebacks are an everyday cost line, that protection is worth real money. The catch is that the shift only applies when authentication actually completes, so merchants need to pay attention to authentication rates, not just whether 3DS is switched on.
PSD2 SCA made it effectively mandatory in Europe
From January 2021, the second Payment Services Directive's Strong Customer Authentication rules required two-factor authentication on most online card payments over £30 across the UK and EEA. 3D Secure 2 is the mechanism the card industry uses to deliver that — so for any European merchant taking online card payments above the threshold, running Visa Secure (and Mastercard Identity Check, and SafeKey) isn't really optional anymore. There are exemptions for low-value transactions, recurring payments, trusted beneficiaries and merchants with low fraud rates, but the default is authenticated.
Where VbV doesn't apply: phone payments
3D Secure is designed for online checkouts. Phone payments are MOTO transactions and they're carved out of the SCA mandate — there's no practical way to authenticate a customer through 3DS while they're on a voice call. That carve-out is useful for merchants taking MOTO payments, but it has a downside: no 3DS authentication means no liability shift. If a phone payment turns out to be fraud, the merchant pays. That's why phone-payment fraud controls — AVS, CVV checks, agent training, velocity rules — matter so much, and why fraudsters increasingly target the phone channel when online checkouts are well-protected.
Paytia takes phone payments, which sit in the MOTO carve-out from SCA — Verified by Visa and 3D Secure don't run during a voice call. That's why our security model focuses on what we can control: keeping card data out of your call recordings, your CRM, your agents' screens and your network entirely. DTMF masking means the customer keys their card into their own phone keypad and the tones are scrambled before they reach your contact centre, so there's nothing sensitive to leak.
If you'd rather get the 3DS liability shift, we'll send the customer a secure payment link mid-call so they can pay through their own device with full Visa Secure authentication. Same conversation, different rails — you choose whichever fits the transaction. Either way, you're outside PCI DSS scope for that card data.
Frequently Asked Questions
Is Verified by Visa still a thing in 2026?
The protocol is, but the name's been retired. Visa rebranded VbV to Visa Secure in 2019, and the underlying technology moved from the old 3D Secure 1.0 to 3D Secure 2. You'll still see "Verified by Visa" on older merchant agreements and checkout pages, but the active protocol is 3DS2.
Do I need Verified by Visa on my online checkout?
If you're taking online card payments in the UK or EEA, effectively yes. PSD2's Strong Customer Authentication rules make 3D Secure 2 the default for most transactions over £30, and Visa Secure is how Visa cards meet that requirement. Your payment service provider handles the integration.
Does Verified by Visa apply to phone payments?
No. Phone payments are MOTO transactions and they're exempt from SCA, so 3D Secure doesn't run during a voice call. That also means there's no liability shift on phone fraud — the merchant carries the risk, which is why other controls matter.
What's the equivalent of VbV for Mastercard and Amex?
Mastercard's version was SecureCode, now Mastercard Identity Check. American Express calls theirs SafeKey. They're all branded wrappers around the same underlying 3D Secure protocol.
Does successful VbV authentication stop all chargebacks?
Just the fraud-related ones. A successful 3DS authentication shifts liability for unauthorised-use chargebacks from the merchant to the card issuer. Disputes about goods not received, faulty products or services not as described still come out of your account.
See how Paytia handles verified by visa (vbv)
Book a personalised demo and we'll show you how our platform works with your setup.
Trusted by law firms, insurers, healthcare providers and regulated businesses worldwide. Learn more about Paytia