Introduction

EMV Three Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable customer authentication during card-not-present (CNP) e-commerce purchases .

It is a fraud prevention tool that adds an additional security layer when the customer makes card-not-present (CNP) e-commerce purchases by enabling additional customer authentication via alternate channels and additional information. This information typically includes a one-time password (OTP), a biometric scan, or other authentication methods.

The Payment Service Directive 2 (PSD2) Strong Customer Authentication (SCA) is a regulatory requirement in effect as of 14th September 2019, that impacts many European on-line payments. It requires customers to use two-factor-authentication like 3DS to verify their purchase.

3DS is optional in other regions but can still be used to reduce fraud.

3DS has evolved from the initial version, known as 3DS 1 ( or 3DS version 1, 3DS protocol 1) to the latest 3DS 2 (or 3DS version 2, 3DS protocol 2).

It helps reduce the risk of fraud and provides both merchants and consumers with increased confidence in the validity of online initiated transactions.

It should be noted that in the case of potentially fraudulent transactions resulting in chargebacks, if the cardholder was successfully authenticated using 3DS, the liability for the chargeback shifts from the merchant to the card issuer.

Here's an overview of how it works:

Initiation: When a cardholder makes a purchase from a participating online merchant, and the card they're using has been enrolled in 3DS, the transaction process automatically triggers the additional authentication process.
Authentication: After initiating the transaction, the cardholder is redirected to their card issuer's website or app, where they are prompted to provide additional information to confirm their identity. This information typically includes a one-time password (OTP), a biometric scan, or other authentication methods.
Authorisation: Once the cardholder's identity is successfully verified, the transaction is authorised, and the payment is processed as usual. If authentication fails, the transaction may be declined, or the cardholder may be prompted to try again or use an alternative payment method.

The communication protocol between components is based on requests and responses, i.e Authentication Request (AReq) and Authentication Response (ARes), Result Request (RReq) and Result Response (RRes) and Challenge Request (CReq) and Challenge Response (CRes).

What is important to understand is that the outcome of a 3DS flow is an Authentication Approval Value for Mastercard (AAV) or Cardholder Authentication Verification Value for Visa (CAVV). This AAV or CAVV is used in the authorisation by issuer to prove the transaction has been successfully verified by using 3DS.

Access Control Server

CLOWD9 uses 3rd parties as 3DS Access Control Server (ACS).

Implementation

Before a card is used for performing 3DS authentication the BIN or the sub-BIN needs to be configured at scheme and the ACS provider.

Configuration at the ACS provider involves configuring the work flow of 3DS authentication and the URL that will be published by ACS provider for this sub-BIN. This is the URL that will be rendered by the merchants at the point of 3DS authentication.

Configuration at the scheme involves publishing the above URL from ACS provider in its directory server. Merchant queries this directory server to fetch this URL for cards that fall within the sub-BIN.

Some ACS implementations require each card to be enrolled individually others support BIN or BIN Range level enrolment only.

One Time Password - delivery options

Client Delivered OTP

In this method the ACS generates the OTP and sends to CLOWD9.

CLOWD9 sends this to client and client delivers the OTP to the end user.

When the end user enters the OTP on the 3DS authentication window, it is validated by the ACS.

CLOWD9 Delivered OTP

In this method the ACS generates the OTP and sends to CLOWD9.

CLOWD9 uses TWILIO as its SMS gateway provider.

CLOWD9 sends this to end user mobile number using TWILIO.

When the end user enters the OTP on the 3DS authentication window, it is validated by the ACS.

Twilio Verify SMS OTP

A method of OTP delivery that may optimise the cost by delivering the OTP via and SMS to the end users mobile device.

CLOWD9 uses TWILIO as its SMS gateway provider.

In this method:

the ACS asks CLOWD9 to generate and send the OTP to end user.
CLOWD9 calls TWILIO Verify SMS API with end user mobile number.
TWILIO generates and sends the OTP to end user mobile number.
End user enters the OTP on the 3DS authentication window.
ACS sends the entered OTP to CLOWD9.
CLOWD9 calls TWILIO Verify SMS API second step to validate the OTP.
CLOWD9 sends the validation status of OTP to ACS.

Authentication Method - Delegated Out Of Band (OOB)

Sending relies on SMS gateway and the mobile operator to send the SMS. Although widely available on most mobile phones SMS is not a 100% reliable or timely communication method.

Assuming widespread use of a smart phones and typical customer origination to fintechs are from mobile app, these mobile apps can be used to authenticate 3DS.

Financial services mobile apps typically requires higher level of security such as biometric or passcode entry. Using the mobile app gives higher level of confidence that the intended end user is who initiated the transaction.

This method of authentication is called Out Of Band (OOB) authentication.

In this method :

the ACS asks CLOWD9 to perform OOB authentication.
CLOWD9 asks client to perform OOB authentication.
Client sends an out of band notification to end user’s mobile app through their mobile app servicing layer, to trigger the authentication.
End user authenticates themselves to log on to mobile app.
End user verifies the transaction details and authenticates the transaction by clicking a button on the screen.
Client’s mobile app servicing layer receives this authentication.
Client confirms CLOWD9 of the authentication.
CLOWD9 calls an API at ACS to authenticate the transaction.