Decoupled Authentication Explained

Merchant Initiated Transactions (MIT), or the so-called 3RI (3D Secure Initiated Transactions), are not in the scope of PSD2. However, such transactions could also be the source of potential fraud if left unauthenticated. Until Decoupled Authentication, issuers were only able to accept mentioned types of transactions without authentication or decline. Decoupled Authentication enables buyers to authenticate transactions at a time when they were offline. Let's see how it works!

3D Secure 2 & Decoupled Authentication

The latest upgrade of the 3D Secure 2 protocol includes multiple new features, one of them being Decoupled Authentication; an authentication method that allows cardholder authentication to be separate from the payment workflow/process and without customer interacting with the online merchant. Authentication responsibility shifts to the Issuing Bank, enabling cardholder authentication execution even though the cardholder is offline.

Decoupled Authentication Flow

Standard 3D Secure authentication, whether browser or in-app, is showcased in real-time, meaning that the authentication is being performed during the payment process. The challenge screen is displayed to the cardholder while the checkout is taking place. It gives them a predefined timeframe to complete the given challenge.

Alternatively, decoupled customer authentication is performed without interacting with the online merchant's webshop or app. This type of authentication verifies the transaction by using a different channel (e.g., push notification, email). The merchant sets a timeframe in which decoupled authentication takes place. The timespan varies from just a few days up to a week.

Decoupled Authentication is available in 3D Secure protocol version 2.2. It is a natural progression from Out-of-Band Authentication (OOB).  With OOB, the Issuer sends a Push Notification to a banking application, which prompts the cardholder to complete the authentication. It allows the cardholder several days to complete the authentication process. It is ideal when the cardholder is not immediately available for authentication, but authentication is mandatory. Therefore, decoupled authentication is a type of Merchant-Initiated Transaction (MIT), and it is applicable to all device channels: browser, app, and 3RI.

Authentication flow

DA enables authorization at a time different from when the transaction took place, on a different device (smartphone, tablet).

The standard decoupled authentication method applies the following flow:

• The merchant sends an Authentication Request message (AReq message) and waits for a notification that the authentication has is complete (it can last from several days up to a week).
• Issuer confirms if they support decoupled authentication. If that's the case, the cardholder authenticates himself outside of the 3DS challenge flow.
• After authentication, the Issuer sends the results back through the RReq (Results Request) message.
• The Merchant sends confirmation through the Result Response message (RRes message).

For the authentication process to run smoothly, it is vital that the cardholder is provided with all necessary data elements. Those elements involve merchant name, incremental transaction amount, reasons for additional authentication, making the user experience as seamless as possible.

Use Cases

If the Issuing Bank wants to authenticate its cardholder outside of the standard 3D Secure flow, it can use decoupled authentication.

Use cases are the following:

• Scenarios in which SCA  is mandatory because the cardholder is off-session; e.g., subscriptions, recurring payments for variable amounts, authorization amount is above authentication amount, and authorization for the difference in value is necessary.
• For Mail Order/Telephone Order (MOTO) transactions.

For more information, contact our team at [email protected] to get a free, zero-obligation consultation or try our DEMO to see 3D Secure in action.