3D Secure
EMV 3DS 2.x, PCI-3DS certified.
Reduce friction without compromising authentication. Risk-based decisions, device fingerprinting, frictionless and challenge flows.
Capabilities
- ACS (Access Control Server) and 3DS Server in a single deployment
- Risk-based authentication with merchant-tunable rules
- Frictionless flow for low-risk authentications
- OOB (Out-of-Band) and challenge flows where required
- Browser and mobile SDK integrations
- Detailed authentication analytics in Merchant Portal
Run a 3DS authentication
# Start a frictionless / challenge authentication
curl -X POST https://api.coshine.com/v1/3ds/authentications \
-H "Authorization: Bearer $COSHINE_TOKEN" \
-H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d '{
"card": { "token": "tk_9p3a..." },
"amount": { "value": 12500, "currency": "SGD" },
"merchant_id": "merch_sg_001",
"browser_data": { "user_agent": "...", "accept_header": "...", "color_depth": 24 },
"purchase_intent": "ecom"
}'
# 200 OK — frictionless
{
"id": "tds_8h2k3l",
"status": "AUTHENTICATED",
"decision": "FRICTIONLESS",
"eci": "05",
"cavv": "...",
"ds_trans_id": "...",
"issuer": { "risk_score": 0.12, "policy_version": "2.3.1" },
"processing_ms": 142
}Decision matrix
| Risk score band | Cardholder context | Method | Outcome |
|---|---|---|---|
| 0.00 – 0.30 (low) | Recognized device, prior frictionless history | Skip challenge | Frictionless · ECI 05 · liability shift |
| 0.30 – 0.60 (medium) | Recognized device, low-value transaction | Skip challenge with attempt | Frictionless · ECI 06 · liability shift on Visa |
| 0.60 – 0.85 (elevated) | Unrecognized device, novel merchant | Challenge (OTP / OOB / SDK) | Challenge required · liability shift on success |
| 0.85 – 1.00 (high) | Velocity or geo anomalies, mismatch indicators | Reject before challenge | Authentication rejected · merchant can fall back |
| Issuer policy override | Issuer rules force step-up | Challenge | Per issuer policy |
Performance
| Metric | Typical |
|---|---|
| Frictionless rate | 70% – 85% of authentications (issuer-mix dependent) |
| Authentication success rate | ≥ 95% across recognized devices |
| End-to-end auth latency (p95) | < 400 ms including issuer ACS roundtrip |
| 3DS Server availability | 99.99% monthly |
| Challenge methods supported | OTP (SMS / email) · OOB (banking app) · biometric SDK |
| Falsely declined rate | Tracked per-merchant; reviewed monthly with risk team |
Frequently asked
EMV 3DS 2.x vs 3DS 1 — what changes for me?
Three things: (1) richer browser + device data lets the issuer make a frictionless decision more often, lifting conversion; (2) liability shift extends to a wider set of EMV 3DS flows; (3) the cardholder experience moves from a redirect page to an in-app or in-browser challenge only when needed. Migration off 3DS 1 is effectively mandatory in most markets now.
Who decides frictionless vs challenge?
The issuer's ACS makes the final call, informed by the data the merchant sends and the issuer's policy. Coshine operates the ACS on behalf of issuers; we expose policy levers (risk score, velocity, device trust) that the issuer's risk team tunes. Merchants influence frictionless probability via the quality of the data they send.
What challenge methods are supported?
OTP delivered via SMS or email, OOB challenge via a banking app push, and biometric / SDK challenges via the issuer's mobile app. The supported set per issuer depends on what the bank has wired into the ACS — most modern deployments support all three.
When does liability shift apply?
On successful frictionless or challenge authentication with the appropriate ECI value (05 for Visa, 02 for Mastercard, etc.), fraud chargeback liability shifts from merchant to issuer for the in-scope reason codes. Attempt-only flows have partial shift on Visa; failed authentications do not shift. The specifics vary by scheme and region — confirm in scoping.
How do we handle soft-decline retry?
When an issuer soft-declines for SCA reasons (Visa reason 1A01, Mastercard 65), the gateway can automatically retry through a 3DS authentication and re-authorize. Hard declines never retry. Soft-decline-to-3DS flow is a configurable merchant policy.
Compliance
Coshine is certified for PCI 3DS in addition to PCI DSS Level 1 and PCI PIN. Certificates available under NDA via the Trust Center.