3D Secure for online payments continues to gather momentum globally. However, for some industries, real-time authentication requirements can be a significant drawback, especially those that rely on recurring, subscription or instalment card-on-file transactions. Now, a new decoupled authentication enables the same level of security as 3D Secure authentication, without requiring the user to be online at the time of the transaction.
Frustration of Multiple Authentication Steps
Many online customers remain frustrated by the online payment process. This is especially true if they experience multiple authentication steps and unexpected challenge redirections from the website or app interface. Striking a balance between security and user experience is vital in order to reduce the number of abandoned transactions.
“3D Secure has really beefed up our online security, but customers are still sensitive to the challenges sometimes required by fraud engines. This could be a result of the customer making a payment from a foreign country when travelling abroad, or when the person is not immediately available to authenticate the transaction in-session for recurring subscription payments. In order to process these payments, merchants are forced to opt for less secure options until now,” explains Elizabeth Graham, Product Manager Payments, at Entersekt.
EMVCo 2.2 has defined a new decoupled authentication channel which aims to deliver the same security as 3D Secure and benefits of liability shifts without all the restrictions.
“In a normal 3D Secure authentication, if a challenge is required, it will always be performed as part of the payment process in the app or browser the customer is using at that time. Decoupled authentication, however, allows authentication without the customer being in-session at the time of payment. This means merchants can now request the security information needed from banks even when their customers are offline and away from their device,” Graham says.
Graham goes on to say decoupled authentication also allows the merchant to set a time limit, giving the cardholder up to seven days to complete the authentication process and it can be done on a different device than the one on which they made the transaction.
Several Applications for Decoupled Authentication
There are many instances where decoupled authentication could deliver better security than currently offered with a better user experience – although it can still be used for immediate authentication as well.
Common scenarios include recurring card-on-file and instalment payments which can sometimes attract a challenge. In these instances, a decoupled authentication can be sent to the user, even when they are not online at the time of the transaction, and they can authenticate at their convenience.
Recurring payments could also be for fixed amounts such as news sites and streaming subscriptions, or they could include variable amounts, as is the case with monthly mobile top-ups.
Decoupled Authentication to Avoid False Declines
“Some subscription-based services run their card on file payment transactions at odd times due to time zone differences, and the issuer could decline these because their risk tools might assume fraud since many of these transactions are currently taking place without 3DS.
“Now, if a merchant and issuer implements decoupled authentication we could avoid these false declines, allowing the cardholder to approve the transaction when it suits them and within the period set by the subscription service,” Graham says.
Bypassing Complex SDK Integrations
Other recurring payments could include a mixture of fixed and variable amounts or even payments that have a fixed limit or threshold. Decoupled authentication allows merchants to bypass complex SDK integrations, while still enjoying a consistent end-to-end experience.
This option also allows them to avoid relying on issuers’ challenge screens, and will save them time and development costs. The user experience can also benefit from the technology with the major card schemes noting that the challenge success rates are much lower with in-app authentication.
