Issuer 3-Domain Secure (3DS) Card Authentication

Overview

What is 3DS authentication?

3DS authentication is a security protocol backed by the major payment card schemes that adds a layer of security for online/e-commerce card transactions, protecting against fraudulent actors.
Merchants can initiate 3DS authentication, essentially a challenge for cardholders, at checkout. Issuers that support 3DS, i.e. are able to receive the challenge, may have different methods for handling the challenge, for example:

• Always challenge cardholder
• Only challenge cardholder for high-risk transactions - low-risk transactions are auto-approved (Risk-Based-Authentication (RBA))
• Always auto-approve

The authentication/verification method can also take on different forms, for example:

• Cardholder is required to authenticate in-app or using biometric (advanced authentication)
• A One-Time Passcode (OTP) is sent to the cardholder’s email or phone number on file (this is the most common method)

3DS 2.0 versus 3DS 1.0

As of October 2022, the networks only support 3DS version 2.0 (3DS2).

• 3DS2 supports mobile in-app and connected devices, whereas 3DS1 was created for computers and would often result in consumers abandoning the payment flow due to lengthy and complicated checkout processes
• 3DS2 provides richer data to enable robust, RBA decisions - RBA means better user experience with fewer transactions requiring 3DS authentication

What are the benefits of 3DS authentication?

3DS adoption is becoming industry standard in the US and Canada, with more than 85% of issuers participating in 3DS, and over 5% of e-commerce volume flowing through 3DS.

The main issuer benefits to using 3DS include:

• Reduced fraud risk, and fewer fraud-related chargebacks
  => reduced cost
• Improved transaction acceptance / approval rate (fewer declines)
  => increased revenue and improved customer experience

The main merchant benefits to using 3DS include:

• Liability shift, which applies to payments that are successfully authenticated using 3DS (or an equivalent cryptogram such as Apple Pay or Google Pay). These transactions are not eligible for a chargeback, i.e. if a cardholder disputes a 3DS payment as fraudulent, the liability shifts automatically to the card issuer.

Implementation details

1. All card programs will automatically be enrolled for 3DS

2. FinTechs can select between the following 3DS options, and should contact their Synctera implementation representative for configuring the selected option:
   a. Card product - SMS_OTP: This is the default option set on the card product - when a 3DS challenge is received, the cardholder will receive an SMS message with a one-time passcode (OTP) to their phone number on-file, which they must then supply to the merchant to verify their identity:
   

   b. Card product - EXEMPT: If this option is set on the card product, all 3DS challenges that are received are automatically approved
   c. 3DS decision gateway - card product override: FinTechs can override the card product's 3DS policy by implementing a decision gateway

3. There is a fee per 3DS challenge/option that is billed to the FinTech monthly - FinTechs can inquire about the fees with their Synctera implementation representative

4. 3DS evidence/visibility:

   • Transaction API:
     • When applicable, 3DS authentication results would be shown under under user_data.threeDsData
   • Synctera Console (UI):
     • Currently only available through JSON - TBA as separate UI tab in Q2 2024
   • Synctera Insights:
     • TBA to transaction detail views in Q2 2024