Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), are not in the scope of PSD2. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. Decoupled Authentication enables buyers to authenticate transactions at a time when they were offline. Let's see how it works!
The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication; an authentication method that allows cardholder authentication to be separate from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility shifts to the Issuing Bank, enabling cardholder authentication execution even though the cardholder is offline.
Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place. It gives them a predefined timeframe to complete the given challenge.
Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). The merchant sets a timeframe in which decoupled authentication takes place. The timespan varies from just a few days up to a week.
Decoupled Authentication is available in 3D Secure protocol version 2.2. It is a natural progression from Out-of-Band Authentication (OOB). With OOB, the Issuer sends a Push Notification to a banking application, which prompts the cardholder to complete the authentication. It allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.
DA enables authorization at a time different from when the transaction took place, on a different device (smartphone, tablet).
The standard decoupled authentication method applies the following flow:
For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements. Those elements involve merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.
If the Issuing Bank wants to authenticate its cardholder outside of the standard 3D Secure flow, it can use decoupled authentication.
Use cases are the following: