Biometric Authentication

Biometric authentication is a form of cardholder verification that uses customer biometric data such as a fingerprint scan or face recognition, obtained from the cardholder’s mobile device. Your customer application must manage the biometric verification and return a response to Thredd .

Biometric authentication is considered a type of two-factor authentication, since it requires a secondary verification method through a separate communication channel to that in which the primary verification takes place. This secondary verification is obtained via Biometric data. It is also considered a form of Strong Customer Authentication (SCA), which is a requirement of the Second Payment Services Directive (PSD2).

The figure below provides an overview of the cardholder authentication process during a transaction, using Biometric authentication.

Figure: Biometric Authentication Call Flow

  1. The cardholder uses their card at a merchant website.

  2. If the merchant is enrolled in 3D Secure, they send a request for authentication to the Card Scheme (Mastercard/Visa).

  3. The Card Scheme looks up the 3D Secure service provider and sends the authentication request to the Access Control Server (ACS)Closed A system used to manage the 3D Secure authentication service for the issuer. During an authentication session, the ACS communicates with the Card Scheme and Thredd systems, and may also interact with the cardholder, by providing Challenge screens..

  4. The ACS checks to confirm the card BIN range is enabled for 3D Secure. Based on the rules you set up for your card program, the outcome is Success, Fail/Reject or Challenge, with the next steps as described in the following table:

    Outcome

    What happens next?

    Success

    An approval response is returned to the merchant. The merchant can continue with the authorisationClosed Stage where a merchant requests approval for a card payment by sending a request to the card issuer to check that the card is valid, and that the requested authorisation amount is available on the card. At this stage the funds are not deducted from the card. request.

    Fail or Reject

    An authentication failure or reject response is returned to the merchant. They can decide whether to continue to request transaction authorisation or ask the cardholder to provide an alternative payment method.

    Challenge

    3D Secure authentication is required, and Challenge screens are shown to the cardholder.

  5. The ACS connects to Thredd in real-time to query the types of authentication the card is registered for (e.g., Biometric).

  6. Thredd replies to Apata with Biometric as the type of authentication (based on what you registered the card for using the API and on the default types set up for your cards).

  7. The ACS calls Thredd to start Biometric or Out of Band authentication.

  8. Thredd sends a message to your 3D Secure service endpoint, to start authenticating using Biometrics.

  9. The ACS shows the Biometric screens to the cardholder. This informs the cardholder that they will need to authenticate using your smart device app.

  10. You connect to your cardholder via your Biometric or In-App customer smart device application.

  11. The cardholder authenticates using your smart device app (e.g., by scanning their fingerprint or face using their smart device)

  12. When the authentication session is complete, then you must return the result of the Biometric authentication to Thredd, using the validatation API.

  13. Thredd waits for your validate response and sends the results back to the ACS.

  14. The ACS returns the results to the merchant.

What happens after authentication?

Once the cardholder is authenticated, the merchant can proceed with requesting authorisation for the transaction. (The merchant acquirer includes the 3DS secure value they receive from Cardinal within the transaction: UCAF field.)

Thredd validates the 3DS key for a Mastercard transaction (for Visa, Visa generates the key and validates it).

Depending on your External Host Interface (EHI) mode, Thredd approves/declines the transaction or sends to your EHI endpoint to approve or decline.

You can view details of your 3D Secure transactions in the 3D Secure Portal.

For more information, refer to the 3D Secure Guide (Apata) or 3D Secure Guide (Cardinal).