What is 3DS?
Note: Highnote supports EMV 3-D Secure Specification v2.2.0 (3DS2).
3-D Secure (3DS) is an authentication technology designed to reduce payment fraud by verifying the identity of a cardholder before a purchase is made. The 3-D Secure protocol is managed and standardized by EMVCo, a consortium owned by the major card networks. Each network maintains its own 3DS platform instance based on the EMV specification.
How 3DS works
When a cardholder attempts to make a purchase, the merchant initiates 3DS authentication with the network. The network runs one of following authentication flows depending on the configuration of your card program: (1) frictionless, or (2) frictionless + challenge.
-
Frictionless: The network uses predefined risk rules (e.g., amount limit) to pass or fail a transaction. This is called risk-based authentication (RBA). For Highnote subscribers, the networks use risk rules defined by Highnote. This means that Highnote subscribers benefit from Highnote's robust risk models.
- Frictionless + Challenge: If one or more of the frictionless RBA rules fail, or doesn't reach the required risk model threshold, the network prompts the cardholder with a one-time password (OTP) by text or email.
By partnering with the networks, Highnote provides subscribers an enhanced 3DS authentication solution with the integration of our sophisticated risk models and secure risk rules.
3DS data on the Dashboard
The Highnote Dashboard’s Transactions Details page includes the 3DS verification information for all 3DS Verifications that resulted in step-up.
3DS data via the API
Highnote's GraphQL API provides 3DS verification data in the AuthorizationEvent and AuthorizationAndClearEvent objects via the AdditionalNetworkData field.
Transactions that go through a 3DS step-up challenge populate the following network-specific fields:
-
VisaData
VisaCavvResultCodeVisaThreeDSecureIndicator
-
MastercardData
MastercardAavResultCodeMastercardThreeDSecureCardholderAuthenticationMastercardUcafCollectionIndicator
3DS FAQ
What are the benefits of enrolling in Highnote's 3DS authentication program?
- Reduced risk (risk-based authentication prevents illegitimate transactions)
- Cost savings (reduced fraud losses and network fees)
- Better transaction data (enhanced information for fraud prevention and risk assessment)
- Authentication control (real-time decisioning based on transaction risk)
-
Cardholder confidence (stronger security with verification before authorization).
Is there a cost to enrolling in Highnote's 3DS authentication program?
Yes. Contact support@highnote.com for details of our program.
Can I disable 3DS authentication for my programs if necessary?
No. Highnote has no control over whether it receives 3DS verification attempts. Enrolling in Highnote's 3DS program reduces your level of risk, and in turn, your network costs.
Does the 3DS authentication request have a timeout?
Yes. The overall 3DS session (from the moment the merchant initiates 3DS) has a 10-minute timeout.
Does the 3DS OTP challenge flow have a timeout?
No. There is no timeout on the one-time password challenge flow to the cardholder.
Who gets the one-time password (OTP)?
The cardholder receives a one-time password by text or email from the network's 3DS platform. Once the cardholder verifies the purchase using the provided link, the transaction continues through the standard lifecycle of authorization and clearing.
Can the OTP be sent to an application like Google Authenticator?
No. Highnote supports text (SMS) and email OTP only.
What are the OTP challenge flow design options?
There are currently no OTP screen design options beyond the subscriber logo displayed.