Introduction

3DS is an authentication process that merchants can use to verify that a cardholder is who they say they are prior to sending a purchase authorization. If a merchant successfully runs 3DS on one of your cards, liability shifts to you as the issuer, and you forfeit the ability to dispute a transaction for fraud. Read this guide to learn how Lithic enables you to manage that liability shift and better manage fraud on your card program.

What is 3DS?

3-D Secure (3DS) is an authentication protocol that provides an additional security layer for e-commerce transactions. The protocol consists of three domains:

The acquirer domain (3DS Server): The acquirer's system that merchants use to initiate the 3DS authentication flow
The interoperability domain (Directory Server): The network's system that facilitates the movement of 3DS-related information between acquirer and issuer domains
The issuer domain (Access Control Server): The issuer and its cardholders' systems that respond to 3DS authentication requests

3DS authentication is initiated by the merchant/acquirer to verify that the person making an e-commerce transaction is the authorized cardholder. The acquirer passes standardized information to the issuer, who responds with possible outcomes including authenticating the cardholder, declining authentication, or requiring further interaction before authentication can be completed.

Since the entire 3DS authentication runs before the purchase authorization is sent to the issuer for approval, it enables merchants to minimize fraud by ensuring cardholder identity before processing the authorization.

The usage of 3DS by merchants varies by region. In the US, merchant adoption of 3DS is optional. In certain jurisdictions such as the European Union where banks and payment service providers must meet Strong Customer Authentication (SCA) requirements, 3DS authentication occurs on nearly all online transactions.

Why 3DS Matters for Your Card Program

In a standard e-commerce transaction without 3DS authentication, issuers have the ability to file a dispute for fraud if the card was used by an unauthorized individual. However, if a 3DS authentication takes place and the issuer authenticates the cardholder, then liability shifts to the issuer, and they do not have the ability to file a dispute for fraud.

When a merchant initiates a 3DS authentication, the issuer is required to respond in some form and cannot opt out of participation. Since 3DS authentications can result in liability shifting from the merchant to the issuer for a given transaction, card programs should account for these outcomes when approving or declining the subsequent authorization.

Without one of Lithic's solutions in place, if a merchant requests 3DS authentication, the card network will stand in to make the decision. This removes any authority from your program to influence the outcome of the authentication while also preventing you from accessing the rich data associated with the 3DS authentication. Regardless of the 3DS implementation you choose, Lithic provides that rich data for every authentication—data that can be crucial for understanding and managing fraud risks.

3DS Implementation Options with Lithic

Lithic provides flexible 3DS implementation options to meet the operational and technical needs of your card program. You have two primary decisions to make: selecting your Decisioning Model and choosing your Challenge Orchestration Model.

Choosing Your Decisioning Model

Lithic supports two distinct decisioning models to accommodate your organization's technical infrastructure, operational goals, and preferred level of involvement in the authentication process.

Lithic Decisioning

Lithic handles all 3DS authentication decisions using our built-in, risk-based fraud engine. When Lithic receives a 3DS authentication request for a card within your program, our system evaluates the transaction against various risk signals and responds automatically on your behalf. Your system does not need to handle any real-time authentication requests, simplifying operational requirements and infrastructure management.

This model reduces complexity by delegating fraud detection and decision-making to Lithic, ensuring consistent and timely responses without the need for additional customer-managed endpoints. It allows you to immediately benefit from our continuously evolving fraud detection methods and rich authentication data without investing in internal risk evaluation infrastructure.

Ideal for: Card programs looking for ease of implementation, minimal operational overhead, and the benefits of leveraging Lithic’s comprehensive fraud management capabilities.

Customer Decisioning

Customer Decisioning provides your organization with complete control over 3DS authentication decisions. Upon receiving a 3DS authentication request, Lithic forwards detailed transaction data directly to your organization's endpoint. Your system then evaluates the risk associated with the transaction in real-time, making a decision to approve, decline, or potentially challenge the authentication request.

Customer Decisioning enables your organization to fully integrate your own advanced risk management rules and proprietary data-driven decision models into the authentication process. However, this model requires that your organization maintain highly available and highly responsive decisioning endpoints. Customer Decisioning endpoints must respond to incoming authorization requests within one second.

Ideal for: Card programs that have robust internal risk management expertise and wish to exercise granular control over authentication decisions by deploying and maintaining high-performance technical infrastructure.

Choosing Your Challenge Orchestration Model

After selecting your decisioning model, you must choose your preferred approach to managing and delivering authentication challenges. Lithic offers three distinct options:

Frictionless (No Challenges)

In this option, no authentication challenges are issued to the cardholder. From the merchant-provided 3DS data, transactions are approved or declined purely based on an automated evaluation of risk—either by Lithic’s decisioning engine or your organization's authentication logic. This approach ensures rapid transaction processing with the lowest possible friction, relying solely on the accuracy of the chosen decisioning model.

Ideal for: Card programs prioritizing speed of the authentication processes, minimal cardholder friction, and streamlined transaction handling, potentially at the expense of decision quality for authentications that fall into a grey area of risk.

Lithic Orchestrated Challenges

With Lithic Orchestrated Challenges, Lithic fully manages the entire authentication challenge lifecycle. When transactions are identified as moderate-risk but potentially legitimate, Lithic initiates a challenge flow by sending a one-time passcode (OTP) via SMS directly to the cardholder. Lithic then handles the receipt and verification of the cardholder’s response to the challenge via the Challenge UI.

This model simplifies the operational complexity for your organization by delegating the challenge process to Lithic. It helps maintain an optimal balance between fraud prevention and legitimate transaction approvals, ensuring that genuinely risky transactions undergo verification without unnecessarily declining potentially legitimate ones.

Customers using this orchestration method must ensure that Lithic has all cardholders' most up-to-date contact information on-file. This means that customers should perform a one-time audit of cardholder phone numbers (updating any out-of-date records), as well as integrating with Lithic's Update cardholder endpoint to continuously update Lithic whenever a cardholder changes their phone number in the future.

Ideal for: Card programs seeking reduced operational complexity while maintaining the added benefit of more nuanced fraud detection through a managed challenge process.

Customer Orchestrated Challenges

With Customer Orchestrated Challenges, your organization maintains full control over the challenge process, including managing how challenges are delivered (via methods such as SMS, email, push notifications, or in-app verifications), handling cardholder responses, and updating Lithic with the ultimate result of the challenge. Your infrastructure must be capable of reliably managing this process end-to-end.

This model allows your organization significant flexibility and customization. You can tailor the challenge experience entirely, from the methods and timing of delivery to specific branding, messaging, and user experience elements.

Ideal for: Card programs that desire maximum control and customization over challenge orchestration at the expense of maintaining significant challenge infrastructure.

Summary Comparison of Decisioning and Orchestration Models

	Frictionless Authentication	Lithic Challenge Orchestration	Customer Challenge Orchestration
Lithic Decisioning	• Simplest implementation- no integration work is required from the customer • Zero friction experience for cardholders- authentications are decided immediately • Lithic handles all decisioning with a proven fraud model • Declined transactions may prevent cardholders from completing a purchase without an override	• Simplest implementation- no responder must be built or maintained by the customer • Lithic handles all decisioning with proven fraud model • Legitimate cardholders may override authentication declines by entering an SMS one-time passcode • Customer must ensure that Lithic phone numbers stay up-to-date	• Lithic handles all decisioning with a proven fraud model • Enhanced security via alternate challenge methods like push notifications or in-app biometric verification • Requires development of challenge delivery infrastructure and timely responses to Lithic with challenge results
Customer Decisioning	• Zero friction experience for cardholders- authentications are decided immediately • Customer retains full control over authentication decisions • Customer must build and maintain a decisioning endpoint with a 1-second SLA • Declined transactions may prevent cardholders from completing a purchase without an override.	• Customer retains full control over authentication decisions • Delivery of SMS OTP challenges are handled by Lithic • Customer does not need to build challenge infrastructure • Customer must build and maintain a decisioning endpoint with a 1-second SLA	• Customer retains complete control over both authentication decisioning and challenge delivery • Enhanced security via alternate challenge methods like push notifications or in-app biometric verification • Customer can build seamless integration with their existing app ecosystem • Most complex implementation

Implementation Steps

BIN configuration update
- The card network routes messages between the acquirer domain to Lithic during a 3DS authentication. Your Lithic Customer Success Manager will work with you to ensure that the correct network configuration is set up so that it knows to route your card program’s 3DS authentications to Lithic
(Customer Decisioning only) Set up and test your 3DS decisioning responder
- If you are participating in the real-time decisioning flow, you will need to set up and test your responder to ensure you are ready to ingest the three_ds_authentication request and respond appropriately. This can be done through a dedicated set of endpoints here and we encourage you to test the flow in Sandbox before attempting to respond to requests in Production
Subscribe to 3DS authentication events via the Events API
- To ensure you are finding out about authentications taking place on your cards in real-time, you can subscribe to the three_ds_authentication.created event type via the Events API
(Challenges only) Design your customer interaction
- During a challenge, your cardholder will be shown a UI in their checkout flow prompting them to complete a secondary verification. With Lithic challenges, you can design the look and feel of the challenge UI to make it match your brand's identity by customizing the colors, logos, and copy. For Lithic-orchestrated challenges, you will need to additionally define the copy of the SMS message sent to your cardholder containing their OTP. Your Lithic Customer Success Manager will work with you to ensure that your design preferences are implemented correctly.

3DS and Authorization Decisioning

Since the 3DS authentication process runs before authorizations, you can take advantage of the data contained in these webhooks to improve your authorization decisioning logic. To get the most out of 3DS, we strongly recommend that card programs incorporate the outcome of 3DS authentications into their authorization decisioning.

When a 3DS authentication takes place, the cardholder_authentication object in the ASA request contains data indicating the outcome of the 3DS authentication. Refer to this documentation for the latest information. A few key fields to note:

liability_shift: Indicates whether chargeback liability shift to the issuer applies to the transaction; in other words, whether the issuer forfeits the ability to dispute the transaction for fraud if it approves the authorization
authentication_result: Indicates what the outcome of the 3DS authentication process is
decision_made_by: Indicates which party made the 3DS authentication decision
three_ds_authentication_token: Unique identifier you can use to match a given 3DS authentication (available via the three_ds_authentication.created event webhook) and the subsequent authorization

Remember: even if 3DS authentication has taken place and liability has shifted, you still have the ability to decline the authorization via ASA to protect your card program in the case of suspected fraud.

Getting Started

To enable 3DS for your card program, contact your Implementation Manager (for implementing programs) or your Customer Success Manager (for live programs). They'll work with you to ensure the correct network configuration is set up to route your 3DS authentications to Lithic.