Skip to main content

Data Only: Maximize Approval Rates

Quick Reference

WhatApproval rate optimization via data sharing
WhySend enriched data to issuers through 3DS rails — zero friction, higher approvals
Reading Time15 min
DifficultyIntermediate
PrerequisitesAuthentication → 3D Secure → Create charge

What is Data Only?

Data Only uses EMV 3DS infrastructure to share transaction, device, and behavioral data with card networks and issuers — without ever showing a challenge to the cardholder. The issuer receives enriched data and makes a more informed authorization decision.

The result: higher approval rates, zero cart abandonment from authentication, and no redirect or popup.

Why Data Only matters

The numbers make the case:

MetricValueSource
False decline impact vs fraud3x greater — declining a good customer costs 3x more than fraudVisa Global Client
US eCommerce fraud (projected)$13 billion by 2026Visa
Global cart abandonment rate70% averageBaymard Institute
Conversion drop from 3DS friction2–15% depending on marketDecta / US Payments Forum
US merchant 3DS adoptionOnly ~3% of transactionsUS Payments Forum Brief #2
Square pilot (6M transactions, 9 months)+23 to +646 basis points per financial institutionBroadcom/Arcot case study
Chargeback rate improvement (same pilot)6% reductionBroadcom/Arcot case study

Decision matrix

CriterionFull 3DSData OnlyNo authentication
BrandsAll supportedVisa and Mastercard onlyAll
Challenge to cardholderYes, when required by issuerNeverNever
Liability shiftYesNoNo
Approval rate impactMay decrease (friction)Increases (enriched data)Baseline
Chargeback protectionIssuer bears (when shift applies)Merchant bearsMerchant bears
Data sent to issuerDevice + behavioral + challenge resultDevice + behavioral (richer context)None
Best forHigh-value, regulated, PSD2/SCA marketsHigh-volume, low-risk, LATAMLow-risk, low-value
PSD2/SCA marketsRequiredNot available (SCA takes priority)Not compliant
Mutually exclusive with full 3DS

data_only and threeds_authentication cannot both be true on the same charge. If you force full 3DS authentication (threeds_authentication: true), the system requires ECI 02 or 05 (fully authenticated). Data Only produces ECI 06 or 07, which fails forced 3DS validation.

Choose one strategy per transaction.

How it works

The key insight: the issuer receives two signals — the risk evaluation from the network and the enriched data from your device_info. This is more information than a standard authorization, so the issuer can approve with higher confidence.

Step-by-step integration

1

Collect device and browser data

Capture real browser values on the client side. Never fabricate these — synthetic data increases decline rates.

const deviceInfo = {
  ip_address: await fetch('/api/ip').then(r => r.text()),
  user_agent: navigator.userAgent,
  http_accept_content: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
  http_accept_browser_value: '*/*',
  http_browser_language: navigator.language,
  http_browser_java_enabled: navigator.javaEnabled?.() ?? false,
  http_browser_javascript_enabled: true,
  http_browser_color_depth: String(screen.colorDepth),
  http_browser_screen_height: String(screen.height),
  http_browser_screen_width: String(screen.width),
  http_browser_time_difference: String(new Date().getTimezoneOffset()),
};

Send deviceInfo to your backend for the charge request.

2

Authenticate and get an access token

curl -s -X POST "https://a55-auth.auth.us-east-1.amazoncognito.com/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials&client_id=$CLIENT_ID&client_secret=$CLIENT_SECRET"
3

Create a charge with data_only: true

Set data_only: true and include the full device_info object from Step 1.

curl -sS -X POST "https://core-manager.a55.tech/api/v1/bank/wallet/charge/" \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-H "Idempotency-Key: dataonly_001" \
-d '{
  "wallet_uuid": "00000000-0000-4000-8000-000000000001",
  "merchant_id": "merchant_123",
  "payer_name": "Jane Doe",
  "payer_email": "jane@example.com",
  "payer_cell_phone": "+5511999999999",
  "payer_tax_id": "12345678901",
  "items": [{"name": "Premium Plan", "quantity": 1, "value": 29900}],
  "payer_address": {
    "street": "Av. Paulista 1000", "city": "São Paulo",
    "state": "SP", "zip_code": "01310100", "country": "BR"
  },
  "currency": "BRL",
  "installment_value": 29900,
  "installment_count": 1,
  "due_date": "2026-12-31",
  "description": "Premium subscription",
  "type_charge": "credit_card",
  "card_name": "JANE DOE",
  "card_number": "4111111111111111",
  "card_expiry_month": 12,
  "card_expiry_year": 2030,
  "card_cvv": "123",
  "data_only": true,
  "device_info": {
    "ip_address": "203.0.113.10",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0",
    "device_id": "dev_xyz",
    "session_id": "sess_abc",
    "http_accept_content": "text/html,application/xhtml+xml",
    "http_accept_browser_value": "*/*",
    "http_browser_language": "pt-BR",
    "http_browser_java_enabled": false,
    "http_browser_javascript_enabled": true,
    "http_browser_color_depth": "24",
    "http_browser_screen_height": "900",
    "http_browser_screen_width": "1440",
    "http_browser_time_difference": "180"
  },
  "reference_external_id": "dataonly_001",
  "webhook_url": "https://merchant.example/webhooks/a55"
}'
4

Handle the response

Data Only charges resolve immediately — no redirect, no url_3ds, no waiting for challenge completion.

{
  "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "confirmed",
  "reference_external_id": "dataonly_001",
  "data_only": true,
  "eci": "07",
  "authentication_status": "data_only_succeeded",
  "amount": 29900,
  "currency": "BRL",
  "type_charge": "credit_card"
}
5

Verify via webhook

A55 sends a webhook to your webhook_url with the final status. Always use the webhook as the source of truth.

{
  "charge_uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "status": "paid",
  "transaction_reference": "txn_ref_001",
  "webhook_url": "https://merchant.example/webhooks/a55"
}

device_info reference

These fields feed the issuer's risk model. More data = better risk assessment = higher approval rates.

FieldTypeRequiredDescription
ip_addressstringYesClient public IP address
user_agentstringYesBrowser User-Agent header
http_accept_contentstringYesHTTP Accept header value
http_accept_browser_valuestringYesBrowser Accept header
http_browser_languagestringYesBrowser/OS language (e.g., pt-BR)
http_browser_java_enabledbooleanYesWhether Java plugin is enabled
http_browser_javascript_enabledbooleanYesWhether JavaScript is enabled
http_browser_color_depthstringYesScreen color depth (e.g., "24")
http_browser_screen_heightstringYesScreen height in pixels
http_browser_screen_widthstringYesScreen width in pixels
http_browser_time_differencestringYesMinutes offset from UTC (e.g., "180" for BRT)
device_idstringNoStable device identifier
session_idstringNoCheckout session identifier

Visa vs Mastercard response differences

Both networks support Data Only, but the authentication response fields differ:

FieldVisa Data OnlyMastercard Identity Check Insights
Program nameVisa Data Only (VDO)Identity Check Insights (IDCI)
ECI0704 or 06 (acquirer-dependent)
Transaction statusI (informational)U (unauthenticated)
CAVV/AAVPresentPresent
Challenge indicator sent06 (data share only)06 (data share only)
Message categoryStandard80 (IDCI-specific)
Liability shiftNoNo

Visa DCAP (Digital Commerce Authentication Program)

For US and Canada transactions, Visa offers the DCAP program — an enhanced Data Only path that requires specific fields for maximum approval rate benefit.

DCAP-required fields

FieldWhy it matters
ip_addressGeolocation and velocity checks
payer_emailIdentity correlation across merchants
payer_address (full billing address)AVS matching and address verification
Device fingerprint (device_info)Device reputation and behavioral analysis

If you send cross-border charges to the US or Canada, include all these fields to qualify for DCAP's enhanced authorization data.

Debit cards and Data Only

Data Only also applies to debit card transactions. The backend validates that debit charges include either full 3DS authentication or Data Only:

ECIAccepted for debit
02Yes (full 3DS — Mastercard)
05Yes (full 3DS — Visa)
06Yes (Data Only — Mastercard)
07Yes (Data Only — Visa)

If a debit charge arrives without a valid ECI from 3DS or Data Only, it is rejected with the message: "Transaction not authenticated 3DS or DataOnly is required for debit card."

Test with sandbox cards

Card NumberBrandScenarioExpected Status
4111 1111 1111 1111VisaData Only — confirmedconfirmed
5500 0000 0000 0004MastercardData Only — confirmed (IDCI)confirmed
4000 0000 0000 0002VisaData Only — declined by issuerdeclined
4000 0000 0000 0069VisaData Only — processing errorerror
Sandbox behavior

In sandbox, Data Only charges are simulated. The data_only flag is accepted and the response includes eci and authentication_status fields, but no actual network communication occurs. Use these test cards to validate your integration logic.

For A55 partners: activation discussion

Data Only is available today through A55 but requires coordination to activate. To start:

  1. Confirm acquirer support — not all acquirers in your routing table support Data Only. Your integration manager will verify which providers are enabled.
  2. Enable Data Only in your merchant configuration — the authentication_dataonly_enabled flag must be set on your account.
  3. Review your device_info data quality — incomplete or synthetic data negates the benefit. A55 can audit your recent payloads.
  4. Analyze your transaction profile — your integration manager can model expected approval rate uplift based on your current decline patterns.

Contact your integration manager or email tech.services@a55.tech to schedule a Data Only activation review.

References

This page is built from 17 industry sources:

  1. Visa Data Only for merchants and issuers
  2. CyberSource: Visa Data Only REST Example
  3. Adyen: Data-only flow
  4. Fiserv LATAM: Data Only — Mastercard and Visa
  5. PXP Kalixa: 3DS2 Data Only Flow
  6. PayPal: 3DS Data Only and authorization rates
  7. Square + Broadcom/Arcot: 6M transaction pilot case study
  8. US Payments Forum: 3DS Data Only Brief #2 (Aug 2025)
  9. Datos Insights: Lower Fraud, No Friction
  10. EMVCo: 3DS 2.2 specification — challengeInd "06"
  11. Mastercard: Identity Check Insights Program
  12. Stripe: Visa DCAP on Stripe
  13. Decta: 5 Optimization Tips for 3DS Approval Rates
  14. Cardinal/Verifi: Data Only
  15. Visa European EMV 3DS 2.2.0 Implementation Guide
  16. CyberSource: Visa Data Only Testing
  17. Merchant Advisory Group: Visa DCAP and VAMP Programs
3D SecureFull 3DS with challenge flows, device_info, and validation.Host-to-HostDirect API with full server-side control.Credit cardCard brand behavior, installments, and 3DS toggle.Anti-fraudRisk scoring and device signals.