HIGHEST Verification (Two-Hold)
Introduction
HIGHEST is the strictest verification risk tier. It proves card
ownership with two factors:
- A 3DS challenge — if the issuer challenges the cardholder, that alone is sufficient and enrollment completes.
- A two-hold confirmation — if the issuer instead approves frictionlessly (no challenge), the cardholder confirms two small temporary authorization holds on the card, read from their banking app. Both holds are voided automatically; nothing is ever captured.
The Astrada Card Enrollment SDK renders this entire flow for you — the up-front disclosure, the place-holds prompt, and the amount-confirmation screen. You don't build any UI or write any disclosure copy. See Get the SDK to embed it.
When the second factor applies
The SDK detects which path the issuer took and shows the right screens automatically:
| Issuer's decision | What happens |
|---|---|
| Challenged the cardholder | Enrollment completes — no holds. |
| Challenge engaged, then failed | Enrollment fails — no holds (same as HIGH). |
| Approved frictionlessly (or 3DS didn't run) | The two-hold confirmation runs as the second factor. |
What the cardholder sees
These are the SDK's built-in screens — your only setup is embedding the SDK.
1. Up-front disclosure
Before anything is held, the SDK's intro screen tells the cardholder what to expect. This copy is built into the SDK — you don't write it:
If your bank approves this card without a challenge, we'll place two small temporary holds ($0.50–$0.99 each). You'll confirm the amounts from your banking app — both release automatically and nothing is charged.
2. Place the holds
If the issuer approves frictionlessly, the SDK asks the cardholder to start the second factor. Nothing is held until they tap "Place the holds."
3. Confirm the two amounts
Astrada places two holds ($0.50–$0.99 each). The cardholder finds the two ASTRADA holds in their
banking app and enters both amounts (the order doesn't matter). They get two attempts per set of
holds.
4. Done
On a match, both holds are voided and the card is linked.
The flow at a glance
sequenceDiagram
autonumber
participant CH as Cardholder
participant SDK as Astrada SDK
participant Bank as Issuer / bank
CH->>SDK: Enter card (after the holds disclosure)
SDK->>Bank: 3DS verification (HIGHEST)
alt Issuer challenges the cardholder
Bank-->>SDK: Challenge completed
SDK-->>CH: Card linked (no holds)
else Approved without a challenge
SDK-->>CH: "Place the holds" prompt
CH->>SDK: Taps Place the holds
SDK->>Bank: Two temporary holds ($0.50–$0.99 each)
SDK-->>CH: Enter the two amounts from your banking app
CH->>SDK: Confirms both amounts
SDK->>Bank: Void both holds
SDK-->>CH: Card linked
end
Retries, lockout, and expiry
- Attempts: the cardholder gets 2 tries per set of holds. A mismatch shows an inline "try once more" message.
- Lockout: after 3 failed sessions for the same card,
HIGHESTis blocked for that card and the SDK shows a "temporarily blocked" screen. The count isn't reset by re-enrolling — contact Astrada to clear it. This per-card two-hold lockout is separate from the opt-in cross-network Verification Attempt Lockout (which you clear yourself).
- Expiry: if the cardholder doesn't confirm in time, the holds expire and the flow must be restarted. Uncaptured holds also release on their own at the issuer.
Resuming across sessions or devices
The two-hold flow can span minutes to hours (the cardholder leaves to check their banking app). The SDK resumes automatically — if the cardholder returns to the same card, it picks up at the live step (place holds or confirm amounts) instead of starting over.
Next steps
- Verification Risk Tiers — how to set a subaccount to
HIGHEST. - Test Cards & Sandbox Testing — drive the full two-hold flow deterministically.
- Error States & Remediation — every HIGHEST failure code and screen.
- Single Card Enrollment — API Reference — the endpoint contract (for approved direct-API partners).