Challenge Flow - Lithic Decisioning

Overview

Lithic Decisioning with Challenge Flows enhances standard Lithic 3DS Decisioning by introducing a verification step for transactions that fall into a gray area of risk. Rather than automatically declining suspicious—but potentially legitimate—authentications, Lithic prompts the cardholder to complete a one-time passcode (OTP) challenge via SMS. This ensures that only the true cardholder can approve higher-risk transactions, increasing genuine approvals while reducing fraud.

How It Works

When a cardholder is challenged as part of a 3DS authentication, this is the user journey that they will experience:

1. Transaction Attempt: The cardholder initiates an online (eCommerce) transaction at the merchant's checkout.
2. Risk Assessment: Lithic evaluates the authentication request using its 3DS decisioning model.
3. Challenge Initiation: If the transaction is flagged as risky (but not clearly fraudulent), Lithic triggers the 3DS Challenge Flow. Instead of a decline, the transaction is paused and a secure Challenge UI is displayed to the cardholder in the checkout flow.
4. OTP Delivery: Lithic sends a one-time, 6-digit passcode to the cardholder's phone number on file. This code is unique to the transaction and expires after a short time (configurable, usually 10 minutes).
5. Cardholder Verification:
   • Successful Verification: If the correct OTP is entered, authentication is approved, and the transaction can proceed.
   • Incorrect/No Response: If the OTP is incorrect or not entered before expiration, authentication is declined, preventing a liability shift on potentially fraudulent activity.
6. Transaction Completion: Upon successful verification, the cardholder is informed that the transaction can continue. The merchant will unpause the flow and complete the existing checkout, and the legitimate transaction is captured without excessive friction.
   Note: In most cases, a merchant will choose to forgo an authorization attempt after a failed authentication. In some cases however, a merchant may choose to proceed with the authorization, even after a failed authentication. In these cases, the authorization is NOT granted a liability shift and you (the issuer) retain the chargeback rights to the transaction. You can still choose to decline these authorizations via ASA, as discussed in the Data Visibility section.

Implementation Requirements

Accurate Cardholder Contact Information

Maintaining valid and up-to-date phone numbers is essential, as OTPs are delivered via SMS. Before enabling Challenge Flow, we recommend:

1. Auditing your records to ensure phone numbers are current and correctly updated for Lithic account holders
2. Using Lithic's update account holder endpoint to keep contact details current on an ongoing basis
3. Implementing processes to regularly verify and update cardholder contact information

Accurate cardholder contact information is absolutely essential for challenges to deliver expected outcomes.

User Interface and SMS Customization

Card programs have control in defining the templates for SMS copy and the Challenge UI that are shown to the cardholder during checkout to ensure the user experience matches card program's brand identity:

1. Challenge UI: There is a moderate degree of customizability regarding the copy, information, and style of the Challenge UI that you may configure. Display your brand's logo, colors, and text that matches your brand's voice, while adhering to the information architecture proscribed by the 3DS standard.

   

2. SMS Template: The message copy delivered to cardholders is fully customizable by you, however the copy must fit within the single SMS character limit of 160 characters. Here is an example of a message you may configure:

   "[Brand] Your verification code is xxxxxx. Do not share it with anyone! We will never call to ask for it. If you didn’t request it, freeze your card immediately."

Implementation Process

1. BIN Configuration: Ensure that your card program's BINs are properly configured to route 3DS authentication requests to Lithic. Your Implementation Manager or Customer Success Manager will assist with this setup.
2. Templates Setup: Work with Lithic to customize the SMS message template and challenge UI according to your brand guidelines.
3. Configuration Through Lithic: Lithic will handle all setup tasks related to enabling Challenge Flow. We'll configure OTP distribution and the user interface—no additional development or maintenance is required on your end.
4. Testing: Before full deployment, run test transactions to verify the challenge flow functions correctly.
5. Event Subscription: Subscribe to 3DS authentication events via the Events API to receive real-time notifications when challenges are issued and completed.

Data Visibility

As with all Lithic 3DS products, the full set of rich 3DS authentication data is available to you via webhooks. In addition, programs utilizing challenge flows receive additional data regarding the issuance and outcomes of 3DS challenges. This data can be particularly useful to use during the authorization flow in the event that a merchant proceeds with authorization, despite a failed 3DS authentication.

Transactions where the purchaser was presented a challenge flow, but failed to authenticate themselves as the true cardholder, may pose a larger risk of fraudulent activity than other similar transactions. You can identify these transactions by referring to the cardholder_authentication object in the ASA request. Such transactions will have an authentication_method value of CHALLENGE and an authentication_result value of DECLINE.

While nothing can be done to prevent merchants from attempting an authorization after a failed authentication, Lithic 3DS gives the visibility to decline these transactions at your discretion when they do occur.

Getting Started

To enable Challenge Flows for 3DS Lithic Decisioning, contact your Implementation Manager (for implementing programs) or your Customer Success Manager (for live programs). They will guide you through the setup process and ensure your card program is properly configured.