A key component in the Issuer Domain is the Access Control Server (ACS). The ACS is responsible for authenticating the cardholder when the ACS receives an Authentication Request. A transaction can be authenticated either through a challenge flow or a frictionless flow.
ACS may consult a risk-engine to assess the risk level of the transaction and channel it through a frictionless process if it is deemed low-risk. This is referred to as Risk-Based Authentication (RBA). However, if a transaction is deemed medium-to-high risk, the ACS may require the cardholder to provide more information in the form of 2-factor authentication (2FA), one-time passcode (OTP) or biometrics authentication.
For further details on the ACS, do check out our product information on IMS2.0