Non-Payment Authentication

The improved 3D Secure protocol, 3DS 2.0, will have a big impact on the payments industry, including the ability to cast a wider net in fraud prevention.

There are now more channels where the protocol can be implemented for secure transactions, including non-browser based platforms and mobile integration.

Non-payment authentication is one of the aspects that will be introduced with 3DS 2.0 that allows the protocol to be used in more than just traditional browser-based payments.

What do we mean
with non-payment
authentication?

To understand this concept, it’s worth looking at the basics of how the original 3DS protocol work.

3DS version 1 asks cardholders (the person making the online payment) to prove their identity to the issuing bank before the transaction can be completed. This happens through a popup window or inline frame at the actual checkout stage of the payment.

So the authentication process always took place during the actual payment. This resulted in two problems.

First, users are not always able to identify the authenticity of the popup window, which would often cause suspicion and result in transaction abandonment. Second, because the 3DS protocol was introduced a number of years before mobile payments were available, there proved to be compatibility issues when the authentication process is conducted on mobile browsers.

Although 3D Secure 2.0 addresses the compatibility issues and now provides for a more frictionless experience on mobile devices, in certain instances, it also allows merchants to separate the authentication process from the actual payment.

This has a direct result on user abandonment and customer experience.

Why?

As fraudsters are coming up with more sophisticated ways of getting unauthorised access to debit and credit card details, we are all too aware of the potential dangers of making online payments.

This can make the online checkout process a stress-filled situation. Hence why people drop off so easily when confronted with an “unknown” popup window asking them to enter some of their personal information.

By moving the 3D Secure verification away from the actual payment to a less stress filled environment, i.e. non-payment authentication, can reduce shopper suspicion and therefore transaction abandonment.

Non-payment authentication
in mobile applications

We’ve seen what impact 3DS 2.0 will have on the mobile payments industry including the introduction of mobile SDKs that will help merchants to easily integrate the new protocol with their already existing mobile applications.

It will also improve the verification process as a whole and provide for non-payment authentication.

One such application is through mobile wallets.

As mobile payments grew in popularity in recent years, so has the usage of mobile wallets (or eWallets). It provides a convenient platform to store money securely and process online payments quickly.

According to a study done by Mastercard, in 75% of all social media conversations that were monitored, digital wallets were mentioned in some shape or form. Another survey conducted by Points found that almost 100% of consumers would use a mobile wallet more frequently if it offers some sort of loyalty reward.

A big plus factor in mobile wallets is the ability for users to store their credit or debit card details on the application. Transactions can therefore be completed through the platform without having to enter your card details every time you are making a payment.

This is where the additional functionality of 3DS 2.0 comes into play. It allows for the authentication process to be conducted in the merchant’s mobile application, providing the extra layer of security at the point when the user enters their card details on the platform for later use.

It means the authentication process has moved away from the payment environment to an issuer approved, non-payment environment.

The authentication process will also look and feel consistent with the rest of the in-app experience, which is less alarming for users.

Mobile wallet providers can verify the authenticity of the user by borrowing the intelligence from the issuing bank through a simple connection to the Directory Server using a 3DS Server in conjunction with Mobile SDK from approved vendors.

Non-payment
authentication and PSD2

The development of PSD2 (the second Payment Services Directive by the European Union) has seen some strong overlap with certain functions of the new 3D Secure 2.0 protocol, especially when it comes to SCA (Strong Customer Authentication), including TFA (Two Factor Authentication) and OTP’s (One Time Passwords).

The new rules under PSD2 states that SCA will be required for electronic payments over a certain amount (around €10). They define SCA as “the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inheritance (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others.”

This is basically what MFA (multi-factor authentication) is, including OTPs, biometric authentication such as finger prints or facial recognition, and QR codes than can be scanned by mobile applications.

When the new Payments Directive gets rolled out, Banks and other financial institutions will have to comply with the SCA regulations.

The good news for merchants and issuers is that this non-payment authentication process is already required under 3DS 2.0 and is therefore fully aligned with the principles established in PSD2.

If the 3DS 2.0 protocol is already adopted on a merchant’s platform, it will allow for easy compliance with PDS2 with little or zero customisation, enabling the fight against fraud to continue effortlessly by all parties involved.

The same ACS servers that banks use in their SCA controls can be used in online payments that require the 3D Secure authentication. It might even make sense for banks to move to a 3D Secure 2.0 ACS server.

Conclusion

Jonathan Main, Chair of the EMVCo Board of Managers said, “Besides security, the consumer experience is central to EMVCo’s work”

Providing the option for issuer approved non-payment authentication, 3DS 2.0 brings merchants and issuers another step closer to implementing a frictionless customer experience.

In addition, it enables merchants to give an extra layer of security for online payments through a more diverse range of channels, other than browser-based transactions.

And finally, non-payment authentication in 3DS 2.0 doesn’t just help merchants to effortlessly comply with payment governance, like PSD2, but actually work in conjunction with regulators to create an even safer online environment for customers.