3DS Security
The Three-Domain Secure (3DS) security protocol, created and branded by Visa and Mastercard as Visa Secure and Mastercard SecureCode, respectively, further protects online payments by enabling cardholders to authenticate their purchases.
3DS authentication
3DS adds a layer of security, prior to authorization, to help authenticate online transactions by requiring customers to complete an additional verification with the card issuer. For example, when the merchant initiates 3DS at checkout, the cardholder needs to enter a one-time passcode received via email or Short Message Service (SMS) text to continue with their purchase. The one-time password (OTP) is a six-digit number.
3DS setup options supported by Nium
Nium supports the following forms of 3DS authentication setups:
| Options | Description |
|---|---|
| OTP | The OTP mode of authentication is used to verify users before completing a transaction or running a session in an app or website. |
| OTP plus knowledge-based authentication (KBA) | The OTP plus KBA mode of authentication is a two-factor authentication that combines one-time passwords and KBA for enhanced online card transaction security. |
| Out-of-band (OOB) authentication | The OOB mode of authentication is used for secure online card transactions using alternative communication channels. For example, a push notification with Approve or Decline. |
| OOB with fallback (OTP) | The OOB with fallback OTP authentication mode is used with the provision of one-time passwords in the event of a response timeout for secure online card transactions. |
| OOB with fallback (OTP and KBA) | The OOB authentication with fallback OTP and KBA mode is used with the provision of one-time passwords and KBA in the event of a response timeout for secure online card transactions. |
The OOB with fallback (OTP and KBA) and OTP plus KBA option are relevant in the European Economic Area (EEA) and the UK due to the Payment Service Directive (PSD2) Strong Customer Authentication (SCA) regulation which mandates the application of two of three factors of authentication.
In an OOB authentication, the channel that's used to authenticate a transaction is separate from the channel used by the cardholder to sign in or perform a transaction. OOB authentication is a type of two-factor authentication, such as Face ID, Touch ID, or something you have which is your mobile device, rather than multifactor authentication (MFA).
If the primary method of authentication is OOB, then it's required to have a fallback mechanism. If the cardholder doesn't have mobile data or Wi-Fi service to receive push notifications or is unable to authenticate themselves via the mobile app or biometrics, the system moves to the fallback option.
Depending on the region you're in, you can decide to go with either of these options:
| Region | Option 1 | Option 2 |
|---|---|---|
| Asia-Pacific (APAC) | OOB authentication with OTP as a fallback | OTP only |
| European Union and United Kingdom (EU/UK) | OOB authentication with OTP plus KBA as a fallback | OTP plus KBA |
For 3DS configuration, you can let Nium manage it entirely for you or you can choose to be consulted on every transaction on the type of authentication to be made. If you're in the EU and UK, you can further choose to let Nium manage and validate the KBA on your behalf or you can manage and validate it.
The table below details the above diagram's flow which explains the level of API integration needed for each type of authentication and the entity that performs it.
| Scenario | Managed by | API integration | Implement API |
|---|---|---|---|
| Consult on every transaction | Nium | No | - |
| Consult on every transaction | You | Yes | Check Authentication Method V2 |
| OTP authentication | Always Nium | Not applicable | - |
| OTP plus KBA authentication | Nium | Yes | |
| OTP plus KBA authentication | You | Yes | Passcode Validation V2 |
| OOB authentication | Always you | Yes |
Implementation details
You need to implement and provide Nium with a URL if you opt for: