Contact us

BOOK A PRESENTATION

Decoupled Authentication Explained

NO NAME
Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), are not in the scope of PSD2. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. Decoupled Authentication enables buyers to authenticate transactions at a time when they were offline. Let's see how it works!

Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), are not in the scope of PSD2. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. Decoupled Authentication enables buyers to authenticate transactions at a time when they were offline. Let's see how it works!

3D Secure 2 & Decoupled Authentication

The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication; an authentication method that allows cardholder authentication to be separate from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility shifts to the Issuing Bank, enabling cardholder authentication execution even though the cardholder is offline.

Decoupled Authentication Flow

Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place. It gives them a predefined timeframe to complete the given challenge.

Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). The merchant sets a timeframe in which decoupled authentication takes place. The timespan varies from just a few days up to a week.

Decoupled Authentication is available in 3D Secure protocol version 2.2. It is a natural progression from Out-of-Band Authentication (OOB).  With OOB, the Issuer sends a Push Notification to a banking application, which prompts the cardholder to complete the authentication. It allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Authentication flow

DA enables authorization at a time different from when the transaction took place, on a different device (smartphone, tablet).

The standard decoupled authentication method applies the following flow:

  • The merchant sends an Authentication Request message (AReq message) and waits for a notification that the authentication has is complete (it can last from several days up to a week).
  • Issuer confirms if they support decoupled authentication. If that's the case, the cardholder authenticates himself outside of the 3DS challenge flow.
  • After authentication, the Issuer sends the results back through the RReq (Results Request) message.
  • The Merchant sends confirmation through the Result Response message (RRes message).

For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements. Those elements involve merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.

Use Cases

If the Issuing Bank wants to authenticate its cardholder outside of the standard 3D Secure flow, it can use decoupled authentication.

Use cases are the following:

  • Scenarios in which SCA  is mandatory because the cardholder is off-session; e.g., subscriptions, recurring payments for variable amounts, authorization amount is above authentication amount, and authorization for the difference in value is necessary.
  • For Mail Order/Telephone Order (MOTO) transactions.

Top Online Payments Security Trends

Learn about the latest approaches when it comes to assessing security risks, and find out more about the latest authentication trends in the online payments industry.

To find out more about Trides2 portfolio, contact us or visit our blog section.  

Want to learn more about cybersecurity trends and industry news?

SUBSCRIBE TO OUR NEWSLETTER

CyberSecurityhub

chevron-down linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram