On This Page
Simple Order API
Why Payer Authentication Is Needed
As e-commerce developed, fraudulent transactions also grew, taking advantage of the
difficulty authenticating a cardholder during a transaction when the card is not
present. To create a standard for secure payment card processing, Europay, Mastercard,
and Visa collaborated as EMV. Other card providers wanted input on creating new payment
standards, so a consortium called EMVCo was formed to enable equal input from Visa,
Mastercard, JCB, American Express, China UnionPay, and Discover.
EMVCo developed 3-D Secure as the protocol to provide customer authentication during an
online transaction. EMV 3-D Secure reduced chargebacks to merchants, and when the
buyer was authenticated, the issuing bank assumed any liability when a chargeback
occurred.
The same need to reduce fraud prompted Europe to develop a standard called Strong
Customer Authentication (SCA) to regulate authentication during electronic payment. The
use of SCA is mandated by the European Banking Authority in the Payment Services
Directive (PSD2) that took effect in 2018 to promote and regulate the technical aspects
of financial transactions between merchants and their customers in Europe. SCA requires
two-factor authentication. A customer must be able to authenticate by providing two of
these three factors:
- Something the customer knows (such as a password, PIN, or challenge questions)
- Something the customer has (such as a phone or hardware token)
- Something the customer is (biometric data, such as fingerprint or face recognition)
Although SCA is required for almost all online transactions, some exceptions are allowed.
If a payment is considered low risk, the merchant can request an exemption from SCA to
bypass authentication of the customer. The issuing bank must approve of the exemption
before the transaction can be exempted from SCA. Although an exemption from SCA results
in a frictionless transaction, liability is not shifted to the issuing bank, and the
merchant assumes responsibility for any chargeback that occurs. An exemption from SCA
might apply to these types of transactions:
- Payer authentication is unavailable because of a system outage.
- Payment cards used specifically for business-to-business transactions are exempt.
- Payer authentication is performed outside of the authorization workflow.
- Follow-on installment payments of a fixed amount are exempt after the first transaction.
- Follow-on recurring payments of a fixed amount are exempt after the first transaction.
- Fraud levels associated with this type of transaction are considered a low risk.
- Low transaction value does not warrant SCA.
- Merchant-initiated transactions (MITs) are follow-on transactions that are also exempt.
- Stored credentials were authenticated before storing, so stored credential transactions are exempt.
- Trusted merchants, registered as trusted beneficiaries, are exempt.
EMV 3-D Secure meets the SCA mandate for authenticating the customer during
e-commerce transactions. The first version was called 3-D Secure 1.0 and was
designed to authenticate by having the customer enter a static password that they had
created to prove that they were the actual cardholder. Although this authentication
process was an improvement in reducing fraud, the process had drawbacks:
- The authentication process was slow and intrusive.
- The cardholder had to remember a password and answer security questions.
- Transaction data shared between the merchant and issuing bank was not extensive enough for good risk analysis by the bank.
- Authentication for phones and tablets was not available.
Merchants lost sales when impatient customers grew frustrated over the length of time
required for transaction approval. They did not trust being redirected to a different
webpage to authenticate, and many had trouble remembering their passwords. Shopping cart
abandonment caused merchants to lose sales. EMV 3-D Secure 2.0 was developed to
address those problems.