Introduction to Payer Authentication

Cybersource has a variety of products to manage and minimize the risk of fraud that merchants face in their daily transactions. While these risk management products can operate independently to address specific areas of risk, the best results are achieved when the entire suite of products works in concert to detect patterns of fraud in a business’s online activity.

Decision Manager: Decision Manager uses AI to help large enterprises analyze the vast amount of data from their online transactions to detect known patterns of fraudulent behavior. Each potential transaction can be compared to past patterns and automatically assigned a risk score before authorizing a transaction. Behavior analysis of past transaction data enables you to recommend rules that identify risky transactions and to suggest how to handle them. Machine learning capabilities in Decision Manager enables you to create hypothetical environments to test strategies for dealing with risky scenarios so that you can either reject them or require payer authentication.

Fraud Management Essentials: Fraud Management Essentials helps small-to-medium businesses monitor their online transactions using AI and preconfigured rules to spot and avoid fraudulent transactions. You can adjust the fraud detection settings to match your risk tolerance and manually review transactions flagged for risk review.

Account Takeover Protection: Account Takeover Protection monitors customer account activity to detect compromised accounts. You create account events and define rules to determine the types and levels of activity in a customer account that trigger a manual review for potential fraud. The activity data that happens within a customer account can be easily integrated into Decision Manager and used to assess risky payment behavior.

Payer Authentication: Payer authentication uses the 3-D Secure protocol in online transactions to verify that payment is coming from the actual cardholder. Most transactions can be authenticated without the customer being aware of the process, but higher risk transactions might require an exchange of one-time passwords (OTP) during authentication. This authentication of the payer before the transaction is authorized benefits the merchant by shifting chargeback liability from the merchant to the card issuer. You can use Decision Manager with payer authentication services so that the risk level of an order determines when to invoke payer authentication. For example, low-risk orders can be set to skip payer authentication and proceed directly to authorization.

This guide documents the payer authentication aspect of fraud management and how payer authentication can be used to satisfy the Strong Customer Authentication (SCA) requirement of the Payment Services Directive (PSD2) that applies to the European Economic Area (EEA) and the United Kingdom. SCA requires banks to perform additional verification when consumers make payments to confirm their identity. Access to the documentation for other aspects of the risk management portfolio requires a Cybersource support license for that product.

Transactions where the card is not present have a high risk of fraud, so authenticating a payer before processing a transaction greatly reduces the merchant risk for chargebacks. Payer authentication is a way of verifying that a customer making an e-commerce purchase is the owner of the payment card being used. The protocol that is followed to authenticate customers during online transactions is called EMV 3-D Secure
.

This EMV 3-D Secure protocol is used by all major payment cards to implement payer authentication, but payment companies usually brand it under a different name:

Visa: Visa Secure

Mastercard: Mastercard Identity Check

American Express: American Express SafeKey

JCB: J/Secure

Discover/Diners: ProtectBuy

ELO: Compra Segura (Secure Shopping)

Cartes Bancaire: FAST’R

Union Pay International: Union Pay 3-D Secure

Why Payer Authentication Is Needed

As e-commerce developed, fraudulent transactions also grew, taking advantage of the difficulty authenticating a cardholder during a transaction when the card is not present. To create a standard for secure payment card processing, Europay, Mastercard, and Visa collaborated as EMV. Other card providers wanted input on creating new payment standards, so a consortium called EMVCo was formed to enable equal input from Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.

EMVCo developed 3-D Secure as the protocol to provide customer authentication during an online transaction. EMV 3-D Secure reduced chargebacks to merchants, and when the buyer was authenticated, the issuing bank assumed any liability when a chargeback occurred.

The same need to reduce fraud prompted Europe to develop a standard called Strong Customer Authentication (SCA) to regulate authentication during electronic payment. The use of SCA is mandated by the European Banking Authority in the Payment Services Directive (PSD2) that took effect in 2018 to promote and regulate the technical aspects of financial transactions between merchants and their customers in Europe. SCA requires two-factor authentication. A customer must be able to authenticate by providing two of these three factors:

Something the customer knows (such as a password, PIN, or challenge questions)

Something the customer has (such as a phone or hardware token)

Something the customer is (biometric data, such as fingerprint or face recognition)

Although SCA is required for almost all online transactions, some exceptions are allowed. If a payment is considered low risk, the merchant can request an exemption from SCA to bypass authentication of the customer. The issuing bank must approve of the exemption before the transaction can be exempted from SCA. Although an exemption from SCA results in a frictionless transaction, liability is not shifted to the issuing bank, and the merchant assumes responsibility for any chargeback that occurs. An exemption from SCA might apply to these types of transactions:

Payer authentication is unavailable because of a system outage.

Payment cards used specifically for business-to-business transactions are exempt.

Payer authentication is performed outside of the authorization workflow.

Follow-on installment payments of a fixed amount are exempt after the first transaction.

Follow-on recurring payments of a fixed amount are exempt after the first transaction.

Fraud levels associated with this type of transaction are considered a low risk.

Low transaction value does not warrant SCA.

Merchant-initiated transactions (MITs) are follow-on transactions that are also exempt.

Stored credentials were authenticated before storing, so stored credential transactions are exempt.

Trusted merchants, registered as trusted beneficiaries, are exempt.

For additional information about transactions that are exempt from SCA, see the Payments Guide.

EMV 3-D Secure meets the SCA mandate for authenticating the customer during e-commerce transactions. The first version was called 3-D Secure 1.0 and was designed to authenticate by having the customer enter a static password that they had created to prove that they were the actual cardholder. Although this authentication process was an improvement in reducing fraud, the process had drawbacks:

The authentication process was slow and intrusive.

The cardholder had to remember a password and answer security questions.

Transaction data shared between the merchant and issuing bank was not extensive enough for good risk analysis by the bank.

Authentication for phones and tablets was not available.

Merchants lost sales when impatient customers grew frustrated over the length of time required for transaction approval. They did not trust being redirected to a different webpage to authenticate, and many had trouble remembering their passwords. Shopping cart abandonment caused merchants to lose sales. EMV 3-D Secure 2.0 was developed to address those problems.

EMV 3-D Secure 2.0

To improve the experience of authenticating payers, a new version of 3-D Secure was developed. EMV 3-D Secure 2.x uses a less intrusive process to authenticate a buyer, which provides a better customer experience. Enhancements include:

More robust device data collection to improve risk analysis by the issuing bank.

Small screens that pop up on your webpage to avoid full page redirects.

SDK version for mobile devices like phones and tablets.

Streamlined shopping experience.

IMPORTANT

On September 25, 2024, support for EMV 3-D Secure 2.1.0 will end. Merchants must support EMV 3-D Secure 2.2.0 or a later version before that date so transactions can continue without any interruption in service. Contact support for additional information on updating your system to use EMV 3-D Secure 2.2.0.

Payer Authentication Customer Workflow

During authentication for each transaction, data is collected about the device that the customer is using and the shipping and billing information is compared with transaction history. The workflow in payer authentication can go one of two possible ways: frictionless and challenge (also known as
step-up
).

Payer Authentication Workflow

Frictionless Workflow

With frictionless workflow, the authentication process is not visible to the customer. The data collected during the transaction matches the data collected from past transactions with the customer. The risk for fraud is calculated to be low enough that further authentication is unnecessary. The transaction can continue to authorization.

The customer enters card information at checkout. Information about the device being used by the customer and shopping behavior is collected and relayed from the merchant to the issuing bank. A delay of about 10 seconds is built into the process to ensure that the device data can be transmitted and assessed before the

Buy

option is enabled.

The customer selects

Buy

The issuing bank verifies the information it receives against previous transactions. If the device data correlates with the information, the transaction is approved without the buyer having to provide any additional information.

Challenge Workflow

A challenge workflow occurs when the data collected during the transaction does not match the information on file from previous transactions with the customer. This process occurs for multiple reasons and does not necessarily mean that the customer has fraudulent intent. It could occur because the customer got a new device that has not been registered yet or because they bought something while traveling on vacation. The issuer of the card decides whether further authentication of the customer is required and requests that the customer prove that they are the cardholder. The customer is asked to return a passcode to the issuer. Below is a general description of this workflow from the customer viewpoint.

The customer enters card information at checkout. Information about the customer's device is collected and sent from the merchant to the issuing bank.

The customer selects

Buy

The issuing bank assesses risk by comparing the information it receives to information on file from previous transactions with the customer. If the device data does not match the information collected previously, the issuer requests further authentication.

A small window opens on the checkout page where a message from the bank asks if the customer wants to use email or text to receive a one-time password (OTP) from the bank.

The customer chooses how the password is sent.

The issuer sends an OTP to the account on file for the buyer.

A window opens on the checkout page on the customer device prompting the customer to enter the OTP sent by the issuer.

The customer enters the password that was received and sends it back to the issuer.

If the password entered by the customer matches the password sent by the issuer, the customer is authenticated, and the transaction can proceed to authorization. If the password does not match the password that the bank sent, the customer sees a message that the transaction is declined and that another form of payment should be attempted.

Payer Authentication Merchant Workflow

Transaction circumstances might result in differences to the more detailed payer authentication process described below.

Before the

Buy

button is selected at checkout, the Setup service is called. The full card number identifies how to contact the issuing bank. The issuing bank sends an access token and a URL (called the
DCC URL
) to use for the data collected about the device where the transaction is occurring.

The merchant collects data about the device and includes billing and shipping information. The merchant posts this data to a hidden 10 pixel x 10 pixel iframe to send to the DDC URL provided by the card issuer for comparision with past transactions. After the data points are collected and sent, the issuing bank confirms that data collection ended and the

Buy

button is enabled. An 8-10 second delay ensures enough time for data collection.

Clicking

Buy

triggers the Check Enrollment service sending the order data (and session ID) to the issuer. If the bank is not part of an EMV 3-D Secure program, the payer authentication process stops. If the issuing bank is part of an EMV 3-D Secure program, the device data is compared to information on file collected at the bank during previous transactions with the cardholder.

The issuer's risk analysis software determines whether enough data points collected by the merchant match the data in the bank's files. If the data matches well, no further interaction is needed. This is called
frictionless flow
because no challenge to the buyer is necessary. The response returned to the merchant includes a payload with values like the
ECI
,
CAVV
,
DS Transaction Id
, and the
PARes Status
. These values must be passed on during the request for authorization. It is important to note that while frictionless flow can occur because the payer is authenticated, it can also occur for other reasons. For example, the issuing bank does not participate in payer authentication. Therefore, response values must be verified to determine why no step-up is needed.

If a significant discrepancy occurs between the transaction data and the data on file with the bank, the bank requests that the payer authenticate. This is a friction workflow and is called a
step up
or
challenge
. The response from the bank contains the same values returned for a frictionless workflow but also includes additional values like the
Access Control Server (ACS) URL
, the
PAReq
payload, a
Pares Status
= C, a
Step Up URL
, a new
JWT
, and a
Transaction Id
.

The JWT and the step up URL received in the check enrollment response are returned to the customer. Using the step up URL with the JWT as a POST parameter, a challenge screen opens in a viewable iframe on the buyer's device so that the cardholder can view and respond to the bank challenge. The challenge consists of the bank sending a pass code that the customer returns to the bank. The challenge asks how the customer wants to receive a pass code, by text or email. After the customer chooses, they receive a pass code that they must enter into the challenge screen.

After the cardholder enters and sends the passcode, the response is sent to the merchant's return URL contained in the JWT. This response causes the merchant to make a validation call to the bank to obtain the final authentication outcome. The response to this validation request contains the final authentication results including these values: ECI, CAVV (if successful),
DSTransactionId
,
ThreeDSVersion
, and PARes Status (

= successful or

= failed, unavailable, or rejected).

The next action depends on the outcome:

Successful: proceed to authorization, and append the EMV 3-D Secure data points to the authorization message.

Failed, unavailable, or rejected: display a message to prompt the customer to try payment with a different card.

Acquirer Information

To properly configure payer authentication, CybersourceVisa Acceptance Solutions needs three items of information that your acquiring bank uses to manage payments to your account. If you do not know this information, contact your acquiring bank.

Acquiring Merchant ID (MID): This unique identifier for your business account is assigned by your acquiring bank or payment processor. A MID consists of 8-24 alpha-numeric characters. The MID can be different than the business deposit identifier used in settlements.

Acquiring Bank Identification Number (BIN): This unique number is assigned to the acquiring bank by a payment card network to identify that bank when settling transactions. Each payment card assigns its own BIN for an acquiring bank, and the BINs have their own unique characteristics. For example, all Visa BINs start with a 4, Mastercard BINs start with a 2 or 5, and Discover BINs start with a 3 or 6.

Merchant Category Code (MCC): This four-digit numeric value is assigned by the acquirer to the merchant to classify the merchandise or services provided by the business. The MCC indicates the kind of business transaction that the merchant processes.

Enable Merchant Account for EMV 3-D Secure

Partners and merchants use the Business Center to go online and view transaction activity and to generate reports about their transactions. For each partner, an account is created, and a portfolio merchant ID (MID) is assigned. For each of the merchants within the partner's portfolio, an account is also created and assigned a merchant ID (MID). Access to the various functions in the Business Center is managed by the partner through the MID.

When the MID account is created, the various services that the merchant needs must be enabled. Payer authentication is a service that might need to be turned on by support. To set up an accoujava.io.PrintWriter@5398f71c nt for payer authentication, you need this information:

MID

Merchant website URL.

Two-character ISO code for your country.

Merchant category code.

EMV 3-D Secure requestor ID (optional).

EMV 3-D Secure requestor name (optional).

Name of merchant's bank.

Name, address, and email address of bank contact.

For each payment card that you accept, your acquirer must provide you with this information:

Eight-digit BIN number.

Merchant ID assigned by your acquirer.

List of all of the currencies that you can process.

Payer Authentication Configuration Testing

After the payer authentication functionality is enabled for your account and you have installed and configured the software, you must run tests to ensure that payer authentication is working properly. You must ensure that the proper data is being collected and sent to the issuer and that the proper status for a particular circumstance is returned. To ensure that the proper statuses are returned under all possible circumstances, extensive testing is required before you go live with payer authentication.

A sandbox testing environment is provided to resolve any bugs in your system. In this testing environment, you can simulate various transaction scenarios with the types of payment cards that you accept. Test card numbers for the various types of payment cards are provided so that you can run transaction simulations. You can verify that the values generated during the simulations are the correct values that should occur during that transaction scenario.

When your test results are correct, contact customer support and request to go live. When you go live, you will use the production host name to process transactions instead of the test host name that you used when processing transactions in the test environment.

The host name for the testing environment:

POST https://apitest.cybersource.com

The host name for the production environment:

Details about testing your payer authentication configuration are available in the Testing Payer Authentication Services section.

Request Endpoints

When posting a request for payer authentication, you must add an endpoint to each hostname, whether you are using the test environment or the production environment. These endpoints are used with payer authentication.

/risk/v1/authentications

: use when verifying that a card is enrolled in a card authentication program or requesting authentication from the issuer.

/risk/v1/authentication-results

: use when retrieving and validating authentication results from the issuer so that the merchant can process the payment.

/pts/v2/payments

: use when bundling multiple payments together.

For example, a test request might look like this:

POST https://apitest.cybersource.com/risk/v1/authentications

Payer Authentication Integrations

Payer authentication was designed to authenticate buyers during online transactions. During the early growth of internet transactions, e-commerce was conducted only on computers. Mobile phones had limited capabilities. When mobile phones (and tablets) could access the internet, online transactions quickly grew, and now they comprise almost half of all e-commerce transactions. A key part of updating the EMV 3-D Secure protocol from 1.0 to 2.0 was to ensure that payer authentication became available for e-commerce done on mobile devices.

Two types of payer authentication integration are available for merchants:

API for browser authentication from a computer.

SDK for authentication from mobile devices (available for Android and iOS). Contact support to obtain the SDK.

Merchants should integrate payer authentication for online shopping on both types of devices. The next sections in this guide describe how to integrate payer authentication into those shopping experiences.