EMV® 3-D Secure White Paper v1.0 – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication - DRAFT - Disposition of Comments

Draft Specification & Bulletin Industry Feedback Form Working Group or Task Force: 3-D Secure Working Group Document: 3-D Secure White Paper v1.0 – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication – Draft Date: June 2025 EA/Sub1 Clause No./ Subclause No. /Annex) Paragraph/ Figure/Tabl e/Note Type of comment2 Comment (justification for change) Proposed change Status (Accept, Reject, In progress) EMVCo Use Only EMVCo observations on each comment submitted EA 3.1 te This comprises Delegated Authentication Merchant Captured authentication is, under PSD-2 / PSR-1. effectively, Delegated Authentication, therefore the 3DS Requestor Challenge Indicator should be set to 07. Reject The 3DSWG cannot definitively state that this is delegated authentication, as there may be other conditions required to be met, such as the merchant and issuer having a delegation agreement, or merchant-used ID credentials being known and registered by the issuer. Further clarification on this subject will be provided in the soon-to-bepublished EWC payment rulebook. 1 EA/Sub = EMVCo Associate or Subscriber company (enter a 2-3 letter abbreviation for commenting) 2 Type of comment: ge = general te = technical ed = editorial – For technical comments, please indicate whether your comment is a MAJOR or MINOR technical comment. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 1 of 4 Draft Specification & Bulletin Industry Feedback Form Working Group or Task Force: 3-D Secure Working Group Document: 3-D Secure White Paper v1.0 – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication – Draft Date: June 2025 EA/Sub1 Clause No./ Subclause No. /Annex) Paragraph/ Figure/Tabl e/Note Type of comment2 Comment (justification for change) Proposed change Status (Accept, Reject, In progress) EMVCo Use Only EMVCo observations on each comment submitted EA ge As an ACS provider, Issuer capture authentication is where we have a bigger role to play, along with the issuer as well and we were keen to share some of our real life experience. One of our Issuer customers essentially operated on this level with QR and App Redirect Authentication. We use universal links to open the OOB App from the browser. However, as the draft whitepaper also recognizes, and from the pain points encountered from our integration with them, there is a big blocker with EMV 3DS 2.3.1 and Browser Based Transactions, particularly with launching an app from inside an iframe in browser-based transactions. It is worth noting an issue that may arise when calling an EUDI Wallet through a Universal App Link on the same device. The sandbox parameters on the challenge iframe limit the functionality and content to which the iframe has access. A Universal App Link called from an iframe to invoke the EUDI Wallet Instance on the same device may In progress • Merchant-captured authentication: The ACS is not able to validate the authentication data provided by the merchant (for example, if the merchant used an ID in the wallet, but the ACS did not register the ID). The ACS responds with a Transaction Status = C in the ARes, asking the merchant to process a ‘normal’ 3DS challenge (OTP, OOB….) • Issuer-captured authentication: The 3DSWG cannot comment on this matter. The EWC should provide additional clarification on the specification and implementation guidelines. Once the input is provided, this White Paper will be updated (second version). 1 EA/Sub = EMVCo Associate or Subscriber company (enter a 2-3 letter abbreviation for commenting) 2 Type of comment: ge = general te = technical ed = editorial – For technical comments, please indicate whether your comment is a MAJOR or MINOR technical comment. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 2 of 4 Draft Specification & Bulletin Industry Feedback Form Working Group or Task Force: 3-D Secure Working Group Document: 3-D Secure White Paper v1.0 – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication – Draft Date: June 2025 EA/Sub1 Clause No./ Subclause No. /Annex) Paragraph/ Figure/Tabl e/Note Type of comment2 Comment (justification for change) Proposed change Status (Accept, Reject, In progress) EMVCo Use Only EMVCo observations on each comment submitted be blocked. This depends on the sandbox attributes that the 3DS Requestor has applied on the iframe. Specifically, the "allowpopups" attribute blocks calls to applications or websites outside the iframe. This attribute is defined as 'not allowed' in the EMV 3DS v2.3.1.1 specification. We have examples of big EU merchants / psp's already blocking such behaviour in 2.2, and 2.3.1 this behaviour is standardized. Therefore, Outseer want to advise EMVCO that you will need to either specifically allow pop-ups from an iframe for this use case or advice on a standardized work-around for this (to launch an app installed on the device through a Universal Link). It's good that you have identified this as requiring further investigation, because this will be a big blocker since Browser-Based Transactions, outnumber App Based Transactions significantly. To further points we note: Lack of backend component in wallet ecosystem for 1 EA/Sub = EMVCo Associate or Subscriber company (enter a 2-3 letter abbreviation for commenting) 2 Type of comment: ge = general te = technical ed = editorial – For technical comments, please indicate whether your comment is a MAJOR or MINOR technical comment. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 3 of 4 Draft Specification & Bulletin Industry Feedback Form Working Group or Task Force: 3-D Secure Working Group Document: 3-D Secure White Paper v1.0 – Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication – Draft Date: June 2025 EA/Sub1 Clause No./ Subclause No. /Annex) Paragraph/ Figure/Tabl e/Note Type of comment2 Comment (justification for change) challenge initiation and completion - It depends on what the EUDI wallet instance does. Currently our Issuer calls an endpoint to their wallet / oob app provider (BankID), the trigger for them is our checkOOBStatus call. We assume we will have something similar, or perhaps Outseer needs to provide a callback / ACS challenge completion notification URL for the EUDI wallet instance to notify us of the transaction outcome. We will need more information on this. Questions: 1. How do you expect the use case for Issuer asking for further challenge in merchant captured to work? (section 4.1.2). Proposed change Status (Accept, Reject, In progress) EMVCo Use Only EMVCo observations on each comment submitted 1 EA/Sub = EMVCo Associate or Subscriber company (enter a 2-3 letter abbreviation for commenting) 2 Type of comment: ge = general te = technical ed = editorial – For technical comments, please indicate whether your comment is a MAJOR or MINOR technical comment. © 2025 EMVCo, LLC. All rights reserved. Reproduction, distribution and other use of this document is permitted only pursuant to the applicable agreement between the user and EMVCo found on the EMVCo website. EMV® is a registered trademark or trademark of EMVCo, LLC in the United States and other countries. Page 4 of 4