Data Only Authentication Guide

On this page:

This guide explains how to use Ravelin’s 3DS Server to perform a Data only 3D Secure authentication. This enables a frictionless authentication with no cardholder challenge, however this means there is no liability shift as a result.

When to use Data Only

Your risk and compliance posture allows Data Only as defined by your card scheme’s product in the markets where you operate.
You want a frictionless path while giving the issuer extra data to limit false declines.
You are comfortable accepting the liability of the authentication as there is NO liability shift from Merchant to Issuer.
You have confirmed with your acquirer and scheme how liability, chargebacks, and SCA / regulatory treatment apply to your Data Only traffic.

Schemes’ Data Only products

Mastercard and Visa have products which support Data Only authentication.

At present other schemes do not offer comparable Data Only products. Therefore attempts on other schemes will fail or be downgraded; consider using fallback behaviour for other schemes.

Mastercard Identity Check Insights (IDCI)

Identity Check Insights is one of Mastercard’s Data Only products, it provides risk assessment on behalf of the Issuers. Mastercard steps in on the authentication and performs the risk assessment themselves. This is instead of the Authenticate Request being passed onto the Issuer’s ACS to make the decison.

It is initiated by sending an Authenticate Request with messageCategory set to 80.

Mastercard IDCI Data Only Flow Diagram

As the Authenticate Request never reaches the Issuer the Method Request is not necessary as the request never reaches the Issuer’s ACS.

sequenceDiagram participant FRONTEND as Client Front-End participant BACKEND as Client Back-End participant 3DS_SERVER as Ravelin 3D Secure participant DS as Mastercard DS FRONTEND ->> BACKEND: PAN & Browser Info BACKEND ->> 3DS_SERVER: Version Request 3DS_SERVER ->> BACKEND: Version Response BACKEND ->> FRONTEND: Method Details FRONTEND ->> BACKEND: Start Authentication BACKEND ->> 3DS_SERVER: Authenticate Request 3DS_SERVER ->> DS: Authenticate Request DS ->> 3DS_SERVER: Authenticate Response 3DS_SERVER ->> BACKEND: Authenticate Response

Mastercard / Visa (Data Only)

The Mastercard and Visa Data Only products use the more traditional information only Authenticate Requests with threeDSRequestorChallengeInd set to 06.

The Data Only Authenticate Request still reaches the Issuer’s ACS so a Method Request can improve chances of a successful authorisation. For 3RI authentications the Method Request is not possible.

sequenceDiagram participant FRONTEND as Client Front-End participant BACKEND as Client Back-End participant 3DS_SERVER as Ravelin 3D Secure participant DS as Scheme DS participant ACS as Issuer ACS FRONTEND ->> BACKEND: PAN & Browser Info BACKEND ->> 3DS_SERVER: Version Request 3DS_SERVER ->> BACKEND: Version Response BACKEND ->> FRONTEND: Method Details FRONTEND ->> ACS: Method Request ACS ->> FRONTEND: Collect browser info (Managed by ACS in iframe) FRONTEND ->> BACKEND: Method Notification (Initiated by ACS from iframe) BACKEND ->> FRONTEND: Method Notification Response FRONTEND ->> BACKEND: Start Authentication BACKEND ->> 3DS_SERVER: Authenticate Request 3DS_SERVER ->> DS: Authenticate Request DS ->> ACS: Authenticate Request ACS ->> DS: Authenticate Response: DS ->> 3DS_SERVER: Authenticate Response 3DS_SERVER ->> BACKEND: Authenticate Response

Authenticate Request

Prepare an Authenticate Request with the fields your scheme and acquirer require. See our 3D Secure API reference for the full field list.

The table below summarises the different ways to invoke the schemes’ Data Only products.

	Mastercard (IDCI)	Mastercard (Data Only)	Visa (Data Only)
Authenticate Request signal	`messageCategory` `80`	`threeDSRequestorChallengeInd` — Requestor Challenge Indicator (RCI) `06` (no challenge requested / Data Only)	`threeDSRequestorChallengeInd` — Requestor Challenge Indicator (RCI) `06` (no challenge requested / Data Only)

Confirm details with Scheme specifications and your acquirer for full support.

Authenticate Response

The table below contrasts typical Authenticate Response fields for the three products.

	Mastercard (IDCI)	Mastercard (Data Only)	Visa (Data Only)
`transStatus`	`U` (Unavailable)	`I` (Informational Only)	`I` (Informational Only)
`eci`	`04`	`06`	`07`
`authenticationValue`	value beginning with `kX...`	value beginning with `kW...`	regular auth value
`transStatusReason`	`80` (Identity Check Insights used)	N/A	N/A

Continue to authorisation using the authenticationValue from the Authenticate Response.

Next steps

Test your Data Only integration with some of our test cards.

Test your 3DS integration with our test cards

Feedback

Was this page helpful?