Decoupled Authentication Explained

Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), were not in the scope of PSD2 and SCA requirements. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. When Decoupled Authentication is supported in 3D Secure protocol, it enables buyers to authenticate transactions that are initiated at the time when they were offline. Let's see how it works!

3D Secure 2 & Decoupled Authentication

The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication, an authentication method that allows cardholder authentication to be performed separately from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility is shifted to the Issuing Bank, enabling cardholder authentication to be executed even though the cardholder is offline.

Decoupled Authentication Flow

Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place, giving them a predefined timeframe to complete the given challenge.

Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). A timeframe in which decoupled authentication may take place is set by the merchant, in a timespan varying from just a few days up to a week.

Decoupled Authentication is introduced in 3D Secure protocol version 2.2 and is a natural progression from Out-of-Band Authentication (OOB).  With OOB, the Issuer sends a Push Notification to a mobile or banking application, which prompts the cardholder user to complete the authentication process. Decoupled Authentication allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is required. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Decoupled authentication flow enables customer authorization at a time different from when the transaction took place and on a different device (e.g., smartphone, desktop, tablet).

The standard decoupled authentication method applies the following flow:

• The merchant sends an Authentication Request message (AReq message) and waits until he is notified that the authentication has been completed (it can last from several days up to a week).
• Issuer confirms if they support decoupled authentication, and in that case, the cardholder authenticates himself outside of the 3DS challenge flow.
• After authentication, the Issuer sends the results back through the RReq (Results Request) message.
• The Merchant sends confirmation through the Result Response message (RRes message).

For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements such as merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.

Use Cases

If the Issuing Bank wants to authenticate their cardholder outside of the standard 3D Secure authentication flow, decoupled authentication may be applied.

Use cases are the following:

• Scenarios in which SCA  is required because the cardholder is off-session (e.g., subscriptions, recurring payments for variable amounts, authorization amount is above authentication amount, and authorization for the difference in value is required).
• For Mail Order/Telephone Order (MOTO) transactions.

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.