3DS Server

A 3DS Server is a core EMV® 3-D Secure component used by acquirers, PSPs, and gateways to initiate and manage 3DS authentication flows between:

• Merchant / Payment Gateway
• Directory Server (DS)
• Access Control Server (ACS)
• Card Schemes

It handles authentication requests (AReq), responses (ARes), challenge flows (CReq/CRes), and final authentication results.

The 3DS Server is available in two modes:

License (On-Premise):

• Deployed in the client’s infrastructure
• Full operational control
• Dedicated certification
• Custom integrations

SaaS (Cloud-Hosted):

• Hosted and managed by the vendor
• Rapid onboarding
• Shared infrastructure (logically isolated)
• Lower operational overhead

Both models support the same EMV 3DS functionality.

The 3DS Server is suitable for:

• Acquiring banks
• Payment gateways
• PSPs
• Payment Facilitators
• Marketplaces
• Fintech platforms

It supports both domestic and cross-border e-commerce environments.

The server supports:

• 3DS 1.0.2 (where applicable)
• EMV 3DS 2.1
• EMV 3DS 2.2
• EMV 3DS 2.3.1

Including:

• Frictionless flows
• Challenge flows
• Decoupled authentication
• 3RI (3DS Requestor Initiated)
• Recurring and MIT transactions

Us-on-Us authentication refers to a scenario where:

• The acquirer and issuer belong to the same financial institution or group
• Authentication can be performed directly with the internal ACS
• The Directory Server step may be bypassed where permitted

This reduces latency and improves approval rates.

Yes. The system supports:

• Direct API integration with an internal ACS
• Conditional routing logic (DS vs direct ACS)
• Separate configuration for on-us and off-us transactions
• Dedicated authentication path for internal cards

This is particularly useful for large banks operating both acquiring and issuing businesses.

Routing decisions can be based on:

• BIN ranges
• Issuer identification
• Card portfolio ownership
• Configured issuer mappings
• Real-time routing rules

If a transaction qualifies as Us-on-Us, it can be routed directly to the internal ACS.

Yes. The 3DS Server can connect to:

• Visa Directory Server
• Mastercard Directory Server
• Other scheme Directory Servers
• Regional schemes

Each scheme can have independent configuration and certification, supporting multiple hosts and failover rules.

In License mode:

• The client completes scheme certification per deployment.

In SaaS mode:

• The platform is typically pre-certified, reducing integration time.

Certification scope depends on scheme requirements and deployment model.

Yes. The 3DS Server enables:

• Rich data submission (over 100+ data elements)
• Device information collection
• Risk-based authentication optimization
• Frictionless flow maximization
• Exemption flagging (TRA, low-value, etc.)

Risk signals can be enriched via gateway integration.

Yes. The 3DS Server can:

• Integrate directly with a payment gateway
• Operate as a standalone authentication layer
• Support REST APIs for transaction initiation
• Return authentication results for authorization submission

It can function as part of a full payment orchestration ecosystem.

The server supports:

• Browser-based challenges
• SDK-based mobile challenges
• Embedded challenge windows
• Decoupled authentication
• OOB authentication

It manages CReq/CRes messaging and session lifecycle.

Yes. The 3DS Server can:

• Flag low-value exemptions
• Indicate TRA exemptions
• Request SCA exemptions
• Process soft decline handling
• Trigger step-up if exemption rejected

Exemption logic can be integrated with gateway risk engines.

License mode provides:

• Full infrastructure control
• Data residency compliance
• Custom security policies
• Internal network isolation
• Dedicated SLA management

It is ideal for large banks or regulated entities.

SaaS mode provides:

• Faster time-to-market
• Reduced operational overhead
• Managed upgrades
• Built-in scalability
• Lower upfront cost

It is ideal for PSPs and fintechs seeking agility.

Yes. The architecture supports:

• Active-active clustering
• Horizontal scaling
• Load balancing
• Database replication
• Automatic failover

It is designed for high TPS environments.

Security features include:

• TLS encryption
• Certificate management
• Message integrity validation
• Audit logging

Compliance with scheme security requirements is maintained.

Logical tenant isolation

• Logical tenant isolation
• Separate scheme configurations
• Dedicated merchant portfolios
• Independent reporting

Multi-tenant PSPs can operate under a single infrastructure.

Yes. Reporting may include:

• Authentication success rates
• Frictionless vs challenge ratio
• Scheme-specific performance
• Exemption acceptance rates
• Latency metrics
• US-on-Us vs off-us distribution

This helps optimize authentication strategy.

Direct ACS interaction enables:

• Lower authentication latency
• Higher frictionless approval rates
• Reduced scheme dependency
• Optimized customer experience
• Better risk control within the same institution

It is especially valuable for banks operating both issuing and acquiring businesses.