Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

What is an Access Control Server in 3DS?

Published 01/24/2023

What is an Access Control Server in 3DS?

Originally published by TokenEx.

Written by Anni Burchfiel, TokenEx.

Quick Hits

  • 3DS is a form of multifactor authentication used to reduce card-not-present fraud by verifying cardholder identities.
  • The 3DS Access Control Server is a tool used by issuing banks to confirm the identity of the cardholder with one-time codes, or account login information.

What is 3DS?

3-D Secure Authentication (3DS) is a security protocol used to add an additional layer of identification in the payment process. 3-D Secure is a popular choice for many companies looking to integrate multifactor authentication into their payment systems.

The 3-D Secure model authenticates users across three different domains, the acquiring bank, the issuing bank and the payment systems that connect the two. 3-D Secure often adds an additional step to the consumer’s checkout process, requiring identification through unique passwords, or authentication codes sent via email or SMS. This process is done using a 3D Secure Access Control Server.

What is an Access Control Server?

As previously mentioned, there are three domains of 3D Secure, the acquiring bank, the issuing bank, and the interoperability domain, which consists of the parties that connect the two to enable transactions. The Access Control Server (ACS) exists within the issuing bank’s domain.

The Access Control server is used by issuing banks to carry out their cardholder authentication requirements. The issuing bank is the one that has issued the card the cardholder is using, which makes them a vital part of authenticating whether the card being used is attached to the cardholder they’ve authorized.

When customers are redirected during the 3DS process, customers are directed to the issuing bank in order to maintain the security and confidentiality of their identifying information.

Customers will then verify their identity by providing information, like their account password or a code sent to their email or phone, to the ACS. Checking this information against the information available to the issuing bank, the ACS can then signal whether or not the customer has verified their identity.

The ACS, connected to the issuing bank, is a large part of the customer authentication process. This is one of the reasons why liability for chargebacks is shifted to the issuing bank when merchants use 3DS.

Why does 3DS matter?

3DS makes the checkout experience more secure for both the consumer and the merchant. As a form of multifactor authentication, 3DS reduces both fraudulent charges and the chargebacks they create.

Additionally, if merchants use 3-D Secure, liability for fraudulent chargebacks is shifted to the issuing bank. Reducing the amount of chargebacks a company receives is a huge win, as chargebacks can cost almost twice the original transaction amount due to chargeback fees.

However, 3DS also adds another step to the payment process which can contribute to higher cart abandonment rates. For businesses with higher chargeback rates, this is often worth the cost of abandoned carts. For other businesses, streamlined payments will save them more in the long run.

Often, even streamlined payment methods choose to use 3DS, as it satisfies necessary compliance requirements like the EU’s SCA (Strong Customer Authentication) standard. SCA requires a form of multifactor authentication for card-not-present transactions in order to protect customers and merchants from fraudulent transactions. 3DS is a popular choice for many businesses to meet this requirement and enables many merchants to conduct business in the EU.

Share this content on your favorite social network today!