Authentication is a process to verify the identity of the cardholder before making a purchase. It helps to reduce identity fraud, and is how acquiring banks in Indonesia determine which party is liable for a chargeback. Across Southeast Asia, Authentication is commonly referred to as 3D Secure or 3DS, and often requires the cardholder to enter a one-time-password (OTP) that is sent to their phone by the issuing bank. Many issuing banks outside of Southeast Asia also supports authentication, but use of OTP is not as common as in some regions, like the US.
New Xendit accounts require 3DS by default, but this can be made optional upon request. If you would like the option to skip 3DS, please ask our customer support.
Some common authentication scenarios for consideration are:
|Never authenticate||Offers best user experience. The customer does not need to go through the extra process of authentication.|
|Authenticate once for new cards||Helps to prevent unauthorized transaction, identity theft, and fraud (3DS)|
|Authenticate every transaction||Maximum liability protection for chargeback (you should win any chargeback dispute and not have to refund customers who raise a chargeback)||Poor user experience:
|Rule-based authentication||Balance between liability protection for chargeback and better user experience|
This chart illustrates a typical authentication flow.
Are we obliged to activate 3DS for all transactions?
If using our MID >> you can request to make it optional and we will make a decision after a risk assessment. Your Xendit PIC can guide you through this.
If using your own MID >> Generally if you sign a waiver accepting all chargeback risks, acquirers will make this optional for you. If you start getting over 1% chargebacks, any acquirer will start asking questions & might pull MID if not resolved.
Can we have flexible rules? e.g. 3DS only active for transactions > Rp 100rb
Of course! We give you full control over this.
Will the 3DS pop-up appear during token creation?
Multiple Charges >> No, tokenization & authentication are separate function calls in our JS/iOS/Android SDKs.
Single Charges >> Yes, if enabled for your account
Is 3DS required for each subsequent charges? If yes, can we skip those? What are the limitations to skipping 3DS?
You don't actually need authentication for any transaction unless the card requires it (which is Malaysian debit cards and some Indonesian ones like Mandiri). Refer the table above to build your flow.