3RI authentication is a form of credit card authentication, which is used when the shopper is not in session or in other words the shopper is not typing in the credit card details. It can be used to authenticate credit card payments for telephone or mail orders and for re-authenticating a subsequent payment (for example after a year of recurring payments).
The main purpose of 3RI is to provide authentication where it is otherwise not possible and to prevent applying a strong customer authentication exemptions. Further, 3RI is only possible when 3DSv2 is available for the credit card and the issuer supports 3RI.
The block details for the start (recurring) payment has the following fields:
| Field | Type | M | Description |
|---|---|---|---|
| three_ri_authentication | Block | O | The 3RI authentication details. |
| + authentication | Enum(32) | M | The requested authentication type. |
| + timeout | Block | M | The maximum time that the system waits before considering that the (decoupled) authentication did not occur. |
| + + unit | Enum(16) | M | The unit of the duration. Valid values are 'MINUTES', 'HOURS', or 'DAYS'. |
| + + duration | Number(1, 30240) | M | The length of the timeout. The minimum is 1 minute and the maximum is 7 days (in minutes). |
For the field authentication the following values are possible:
| Authentication Value | Description |
|---|---|
REQUIRED | Decoupled authentication will be performed. If the issuer does not support decoupled authentication, then the payment request fails. |
PREFERRED | Decoupled authentication will be performed if the issuer supports it, otherwise 3RI will be used. |
THREE_RI_ONLY | Decoupled authentication is not performed and only 3RI is performed. |
NO | Decoupled authentication and 3RI will not be performed. |
In all cases, except for the case NO, if the issuer does not support 3RI then the payment request fails.
Authentication Flows
With 3RI there are two possible authentication flows: one in which decoupled authentication is performed and another one without decoupled authentication.
Decoupled Authentication
The flow with decoupled authentication looks as followed:
The start (recurring) payment request response contains the value AUTHENTICATION_REQUESTED for the field status. A notification is sent, as soon as the authentication has completed (or expired).
Implicit Authentication
The flow without decoupled authentication (immediate or implicit authentication) looks as followed:
