Optimising Online Payment Authentication with EMV® 3-D Secure

EMVCo has updated the EMV® 3-D Secure (EMV 3DS) White Paper to help banks, solution providers and merchants optimise the EMV 3DS payment authentication experience. In this post, Tabitha Odom, Chair of the EMVCo 3DS Working Group, explores what’s new. The EMV 3DS White Paper – available in both an interactive online format and as a PDF – provides industry participants with an accessible, easy-to-use resource that aims to promote a better understanding of the EMV 3DS Specifications. The White Paper examines the business value, technical elements, user experience considerations, and example use cases associated with key EMV 3DS features. EMVCo agreed with its Associates on a phased release of the White Paper. For the first version, priority was given to the Frictionless Flow, out-of-band (OOB) authentication, and recurring and instalment transactions. As part of the second phase, the White Paper now covers additional topics, such as the Challenge Flow, including insight into WebAuthn, Secure Payment Confirmation (SPC) and Decoupled Authentication. Dedicated guidance on the role that 3DS message extensions and the Split-SDK play in supporting more flexible deployments has also been added. Here is a breakdown of each new update: Challenge Flow There are two primary 3DS flows – the Frictionless Flow and the Challenge Flow. The Frictionless Flow enables issuers to accept transactions without challenging cardholders. This is achieved through a real-time risk assessment, promoting a seamless shopping experience for both cardholders and merchants. However, if a transaction is deemed high-risk by the issuer or needs confirmation by the cardholder, the Challenge Flow is triggered. This requires the cardholder to provide additional information directly to the issuer for the transaction to take place. This may involve entering a one-time passcode sent to their mobile device, or validating the transaction using their mobile banking application (known as OOB authentication). This extra layer of authentication within the Challenge Flow increases security and helps to reduce fraud, promoting consumer confidence. For merchants, the challenge process provides valuable information on transaction patterns – as well as consumer and issuer behaviour – to improve fraud prevention strategies and balance security and user experience considerations according to their specific risk profile. In some regions, the Challenge Flow also supports compliance with Strong Customer Authentication requirements for online payments. WebAuthn, SPC and Decoupled Authentication The Challenge Flow is flexible to support various authentication methods to suit different issuer preferences and marketplace requirements. In addition to OOB authentication, the updated White Paper now explores WebAuthn, SPC and Decoupled Authentication: WebAuthn and SPC – SPC is a web standard published by the World Wide Web Consortium (W3C) that is built on WebAuthn to support streamlined authentication. Both FIDO-based WebAuthn and SPC can be used within the Challenge Flow to better determine the legitimacy of a transaction to reduce the risk of fraud. Decoupled Authentication – Decoupled Authentication is a 3DS feature that enables the authentication process to be performed separately from the payment transaction flow. This offers an alternative authentication method when the primary authentication method is unavailable, not possible, or fails. It also enables merchant-initiated authentication when the cardholder is not present, such as for some mail order/telephone order (MOTO) transactions and subscription payments. 3DS message extensions EMV 3DS technology enables the exchange of data – or messages – between the merchant and the issuer to authenticate the cardholder and approve the transaction. While the EMV 3DS Protocol and Core Functions Specification defines over a hundred data elements to enable this authentication, some emerging use cases and requirements canno