Use of the EUDI Wallet in EMV® 3-D Secure Payment Authentication

The EMV® 3-D Secure (EMV 3DS) protocol is widely adopted globally to enhance the security of online card payment transactions by authenticating cardholders during the payment process. Used in all European Union (EU) Member States, EMV 3DS is already supported by payment card issuers and online merchants for online transactions in the EU. As the EU works towards the rollout of EU Digital Identity (EUDI) Wallets as a means of digital identification for its citizens, what does this mean for existing payment authentication methods in the region? In this post, Tabitha Odom, Chair of the EMVCo 3DS Working Group, explores the requirements of the EMV 3DS protocol when integrating with the EUDI Wallet to ensure the two technologies work together to deliver safe and seamless payment authentication. Can you provide a brief overview of the EUDI Wallet? The European Union (EU) Digital Identity Framework Regulation entered into force in May 2024 and specified the requirement for a commonly defined digital ID wallet. The EUDI Wallets will make it possible for EU citizens, residents and businesses to link their national digital identities with other personal attributes to prove their identity when accessing digital services. For example, users will be able to request, store and share their personal information when opening a bank account, applying for a job or making an online payment. Each EU Member State will publish its own wallets to its citizens based on common EUDI Wallet specifications. Wallets are expected to be operational by November 2026, with the private sector accepting EUDI Wallet authentications by November 2027. Can EUDI Wallets be used to fulfil PSD2 Strong Customer Authentication (SCA) requirements in EMV 3DS payment authentication transactions? Yes. Relying parties will be required to support SCA via EUDI Wallets as per Article 5f(2) of the Electronic Identification, Authentication, and Trust Services 2.0 (eIDAS 2.0) regulation. As EMV 3DS is used in all EU Member States, supported by most payment card issuers and online merchants, and used in the majority of online SCA transactions in the EU, interoperability between EMV 3DS and the EUDI Wallet will be key to fulfilling the eIDAS SCA obligation. Will EMV 3DS authentication using the EUDI Wallet change the user experience? EMV 3DS is already widely adopted in the online commerce ecosystem as the de facto way to ensure seamless and secure authentication of cardholders in online commerce transactions. Changes to the user experience will depend on the EUDI Wallet authentication flow. With issuer-captured authentication, the user experience remains the same for cardholders. After checkout, if the issuer determines that it is necessary to challenge the transaction, the cardholder is directed to the issuer for SCA. In EMV 3DS terminology, this is referred to as out-of-band (OOB) authentication and it resembles today’s user experience with banking applications and authentication applications.   However, the user experience in the area of merchant-captured authentication is noticeably different. Merchant-captured authentication is a new authentication flow introduced by EUDI Wallets. The merchant integrates with the EUDI Wallet and initiates cardholder authentication already on the merchant’s website. Using the EUDI Wallet, the cardholder authenticates with an authentication credential supported by their card issuer. Using the EMV 3DS protocol, the merchant relays the outcome of the authentication step to the issuer for validation. The issuer acts as a relying party in a merchant-captured authentication. Does EMVCo need to adapt EMV 3DS to specifically align with EUDI Wallet functionality? EMV 3DS was designed to be interoperable with various current and future authentication methods, such as Secure Payment Confirmation (SPC) and WebAuthn. From our initial work and understanding, the EUDI Wallet is interoperable with EMV 3DS, but some of the technical requirements o