Card Payments Authentication

Question 1

Card Present Authentication

Answer 1

1. A PIN or signature are used to authenticate transactions (elements known by the cardholder)
2. CVV1
   - A static card verification value is also used to authenticate magstripe transactions

• Cardholders do not need to be aware of the CVV1
• By verifying that the CVV1 code matches the one associated with the card, the issuer can confirm that the card is likely in the possession of the legitimate cardholder at the time of the transaction

3. iCVV (CVV3)
   - Is also used in conjunction with PIN or signature to authenticate EMV chip card transactions

• The iCVV changes with each transaction, making it more difficult for fraudsters to replicate or steal
• Since the iCVV is generated by the chip during the transaction process and is not printed on the card, it is not visible to the cardholder

Question 2

Card Not Present Authentication

Answer 2

“The PAN, cardholder name, and expiry date must be supplied by the cardholder to make a remote card payment transaction”

• A different, static card verification value, the CVV2 (printed on the card), is used to authenticate CNP payments (This is the only card verification value that cardholders know and is there to demonstrate to the issuer that the card is in possession of the cardholder)
• Merchant may elect to use additional security features (Address Verification Service). The issuer will return a response and the merchant ultimately decides in line with their risk appetite

Question 3

3D Secure

Answer 3

“Is to e-commerce transactions what EMV chips is to CP transactions”

“With 3D Secure authentication, there are additional steps for example a pop-up box presented to the cardholders screen asking for further authentication”

• This enables the issuer to further ascertain that the genuine cardholder is performing the transaction
• It also helps merchants reduce chargebacks

Question 4

3D Secure 2.2 Features

Answer 4

• Allows for whitelisting
• Allows merchants to authenticate payments without customer intervention (recurring, subscription)
• Decoupled Authentication (deferred for a period of time)
• Delegated Authentication (when authentication is performed by an eligible third party other than the issuer)

Question 5

3D Secure Whitelisting

Answer 5

Whitelisting in 3DS allows cardholders to create a list of trusted merchants or transactions that are exempted from the additional authentication process

Question 6

What the merchant needs to do to deploy 3D Secure

Answer 6

• They need the 3D Secure Server
• Provided by the PSP

This functionality provides the bridge between the cardholder (e.g. a pop-up window) and the acquirer during the authorisation process

Question 7

Decoupled Authentication

Answer 7

• Cardholder authentication happens outside of their payment interaction at a different time
• Merchants can set a time limit (one minute, a week) for the cardholder to complete the authentication process

Question 8

Delegated Authentication

Answer 8

• Issuers can delegate the authentication process to a third party (aquirer, wallet provider)
• For example, if a merchant can perform the cardholder authentication through a card-scheme-approved method, information can be passed on to the issuer to confirm the cardholder’s identity, and there will be no need for the issuer to authenticate
• This means a lot less friction for cardholders (e.g. one-click-payments)

Question 9

AVS

Answer 9

• Address Verification Service

“Verify that the billing address supplied by the cardholder matches that which the issuer has on record for that card”

• Issuer will return a single letter code to the merchant (full match, partial match)
• This does not change the issuers authorization decision
• the merchant ultimately decides, in line with their risk appetite, to proceed with or reject the transaction

Merchants would use this facility as part of a multi-layered fraud prevention strategy, as it helps minimise chargebacks

Question 10

Adyen - 2 Ways For 3DS

Answer 10

1. Native
   - Card issuer performs the authentication within your website or mobile app using passive, biometric and two factor authentication approaches
2. Redirect
   - Shoppers are redirected to the card issuers site to provide additional authentication data, for example a password or an SMS. The redirect might lead to lower conversion rates due to technical error during the redirect, or shoppers dropping out of the authentication flow

Question 11

Frictionless Flow

Answer 11

In a frictionless flow, the acquirer, issuer, and card scheme exchange all necessary information in the background through passive authentication using the shopper’s device fingerprint. The transaction is completed without further shopper interaction

Question 12

Challenger Flow

Answer 12

In a challenge flow, the issuer requires additional shopper interaction, either through biometrics, two-factor authentication, or similar methods