Merchant Initiated Authentication (3RI) and 3DS

Today’s economy is increasingly driven by complex purchases: beyond the exchange of cash for an item in a retail store, we have become accustomed to making digital orders from e-commerce merchants, signing up for subscriptions instead of buying software outright, and taking advantage of generous return policies. Each of these call for merchants to be able to do more than simply swipe a card once and consider the transaction complete; rather, they must be able to both authorize a payment method up front, then return to it to process payments over time, often without the active involvement of the customer. This is where merchant-initiated authentication (also known as requester-initiated authentication), a part of 3D secure (3DS) 2.2 comes into play.

What is 3RI?

3RI is the process by which an authorized merchant can securely charge a customer’s credit card without the customer’s direct involvement. This allows merchants to process transactions when the customer is not present, and even allows them to reference prior transactions (for instance, to refer to a prior authorization in order to increase the likelihood of successful processing).

Where is 3RI Critical?

There are a range of situations in which 3RI is vital to the successful execution of a business model, including

• Subscription payments: when a customer signs up for a subscription with a periodic payment plan, the merchant must be able to process their payments without requiring the customer to actively return and give explicit permission on each and every occasion.
• Installment payments: merchant offering Buy Now Pay Later (BNPL) payment terms need to be able to collect subsequent payments after the initial authorization.
• Shipping multiple items: when a customer orders multiple items on a single order, but those items are to be shipped separately, the merchant needs the ability to charge separately for the items as they become available to send.
• Managing refunds: when a customer requests, and receives, a refund, they may be liable to return the refunded item. If that item is not received (or is not received in an acceptable state), the merchant needs to be able to reverse the refund.

Kinds of Businesses That Need 3RI Most

Clearly, not all businesses have strong needs for the ability to authorize future card-not-present transactions; this is particularly true for brick-and-mortar retailers, whose interactions with their customers tend to be immediate and transactional. For others, however, 3RI is key to sustaining an ongoing revenue stream. These include

• Agencies: when a business operates as the customer’s agent, as a travel agent for instance, they need the ability to pay for the various line items the customer agrees to (e.g. airline tickets, hotels, tours, etc.) without constantly returning to the customer for their approval for each transaction.
• E-commerce sites: customers frequently buy multiple items on a single order, and may very well use the refund services offered by the merchant. In addition, unlike brick-and-mortar businesses, e-commerce vendors generally offer to retain customer cardholder data in order to reduce future purchasing friction.
• Rental businesses: businesses providing products or services where the final amount due from the customer is unclear at the initial presentation of the credit card need to be able to settle up. This is especially true for businesses like car rental, hotels, and even restaurants, where the amount of a tip may need to be added to an additional authorization request.

How Does this Fit with 3DS?

3DS, or 3D Secure is an authentication protocol offered by the card networks to protect both customers and merchants from fraud. When properly executed, a full 3DS authentication can shift the liability for any payment fraud from the merchant back to the issuer, giving the merchant peace of mind that they will not suffer future loss of revenue or reputation in the event that a mistake is made. While there have been complaints about 3DS (it can on occasion add friction to deals, and even be confusing to customers when they have to confirm their identity a second time during a transaction), there is no denying the benefit to the merchant for successfully processed transactions when fraud liability is offloaded to the card network.