In order to minimize the fraud rate without spoiling the conversion rate, the payment industry has developed an authentication standard called EMV 3DS, or also called 3DS 2.0. The new version is able to analyze dozens of variables that are used as criteria to determine if a shopper is in fact the cardholder, allowing in some cases the silent authentication of the cardholder (authentication without challenge), without harming the establishments’ Liability Shift.
Main Benefits:
Keywords: Credit and Debit Card Authentication, EMVCO, 3DS 2.0, Visa, Mastercard, E-commerce
Any business that has e-commerce or an application can use the solution. It is particularly suitable for establishments belonging to the high risk segment.
The merchant must meet the following requirements for using 3DS 2.0:
For sending transactions with 3DS 2.0 authentication request it is essential that, in addition to the acquirer, the issuer and brand are ready with the solution. Among the market brands, Visa, Mastercard and Elo are currently available in 3DS 2.0. Visa and Mastercard have a Stand-In model if the Issuer is not yet able to respond to an authentication request using EMV 3DS 2.0. In this scenario, the brand evaluates the submitted data, such as customer behavioral and transactional history, classifying authentication requests as “Low Risk” and “Not Low Risk”. From this information, Issuers can be protected even without having their own 3DS 2.0 solution, and will have greater confidence in authenticated transactions. In Stand-In cases, authentication occurs silently (without challenge to the cardholder) and once the transaction has been authenticated, liability in case of fraud will be held by the Issuer. The decision to authorize the transaction or not is up to the Issuer. In transactions authenticated by the card brand, the decision to authorize (or not) a transaction is still with the issuer, which can deny to authorize transactions in the authorization stage.
Soon Amex will also be available.
The acquirers that operate 3DS 2.0 authentication with Braspag are Cielo, Rede, and Getnet.
Data Only is an optional merchant field that can be used exclusively for Mastercard cards. ECI will always be 4.
To use it, the bpmpi_auth_notifyonly field described in item Authentication Step - step 3 - Class Mapping must be parameterized. In the Data Only model, additional 3DS 2.0 fields are mapped the same way, and sent to Mastercard and Issuing Banks, however, without requesting authentication.
The benefit of using Data Only is to enrich the Issuing Banks and Mastercard databases, which will receive more information about the cardholders of each merchant. This field seeks to improve Issuers’ silent authentication and approval rating, given the current context in which the market is evolving into integration with the new 2.0 authentication protocol. In addition, since May 2019, Mastercard charges an additional fee per unauthenticated transaction from the acquirer, which may impact the price negotiated between the acquirer and the merchant. Data Only exempts the amount of fee charged.
Note that in this model, since there is no authentication from the Issuer, the risk of chargeback for fraud is held by the merchant.
The card authorization process authenticated via 3DS 2.0 takes place in two steps:
The flow below describes the high level steps:
The solution consists of the API access token request step. Click one of the options below to view the manual that best suits your needs:
After authentication is completed, it undergoes the authorization process by submitting the authentication data in the “external authentication” (node ExternalAuthentication). See more details at: https://braspag.github.io//en/manualp/authorization-with-authentication