The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication, an authentication method that allows cardholder authentication to be performed separately from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility is shifted to the Issuing Bank, enabling cardholder authentication to be executed even though the cardholder is offline.
Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place, giving them a predefined timeframe to complete the given challenge.
Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). A timeframe in which decoupled authentication may take place is set by the merchant, in a timespan varying from just a few days up to a week.
Decoupled Authentication is introduced in 3D Secure protocol version 2.2 and is a natural progression from Out-of-Band Authentication (OOB). With OOB, the Issuer sends a Push Notification to a mobile or banking application, which prompts the cardholder user to complete the authentication process. Decoupled Authentication allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is required. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.
Decoupled authentication flow enables customer authorization at a time different from when the transaction took place and on a different device (e.g., smartphone, desktop, tablet).
The standard decoupled authentication method applies the following flow:
For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements such as merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.
If the Issuing Bank wants to authenticate their cardholder outside of the standard 3D Secure authentication flow, decoupled authentication may be applied.
Use cases are the following: