Why Payer Authentication Is Needed

As e-commerce developed, fraudulent transactions also grew, taking advantage of the difficulty authenticating a cardholder during a transaction when the card is not present. To create a standard for secure payment card processing, Europay, Mastercard, and Visa collaborated as EMV. Other card providers wanted input on creating new payment standards, so a consortium called EMVCo was formed to enable equal input from Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.

EMVCo developed 3-D Secure as the protocol to provide customer authentication during an online transaction. EMV 3-D Secure reduced chargebacks to merchants, and when the buyer was authenticated, the issuing bank assumed any liability when a chargeback occurred.

The same need to reduce fraud prompted Europe to develop a standard called Strong Customer Authentication (SCA) to regulate authentication during electronic payment. The use of SCA is mandated by the European Banking Authority in the Payment Services Directive (PSD2) that took effect in 2018 to promote and regulate the technical aspects of financial transactions between merchants and their customers in Europe. SCA requires two-factor authentication. A customer must be able to authenticate by providing two of these three factors:

Something the customer knows (such as a password, PIN, or challenge questions)

Something the customer has (such as a phone or hardware token)

Something the customer is (biometric data, such as fingerprint or face recognition)

Although SCA is required for almost all online transactions, some exceptions are allowed. If a payment is considered low risk, the merchant can request an exemption from SCA to bypass authentication of the customer. The issuing bank must approve of the exemption before the transaction can be exempted from SCA. Although an exemption from SCA results in a frictionless transaction, liability is not shifted to the issuing bank, and the merchant assumes responsibility for any chargeback that occurs. An exemption from SCA might apply to these types of transactions:

Payer authentication is unavailable because of a system outage.

Payment cards used specifically for business-to-business transactions are exempt.

Payer authentication is performed outside of the authorization workflow.

Follow-on installment payments of a fixed amount are exempt after the first transaction.

Follow-on recurring payments of a fixed amount are exempt after the first transaction.

Fraud levels associated with this type of transaction are considered a low risk.

Low transaction value does not warrant SCA.

Merchant-initiated transactions (MITs) are follow-on transactions that are also exempt.

Stored credentials were authenticated before storing, so stored credential transactions are exempt.

Trusted merchants, registered as trusted beneficiaries, are exempt.

For additional information about transactions that are exempt from SCA, see the Payments Guide.

EMV 3-D Secure meets the SCA mandate for authenticating the customer during e-commerce transactions. The first version was called 3-D Secure 1.0 and was designed to authenticate by having the customer enter a static password that they had created to prove that they were the actual cardholder. Although this authentication process was an improvement in reducing fraud, the process had drawbacks:

The authentication process was slow and intrusive.

The cardholder had to remember a password and answer security questions.

Transaction data shared between the merchant and issuing bank was not extensive enough for good risk analysis by the bank.

Authentication for phones and tablets was not available.

Merchants lost sales when impatient customers grew frustrated over the length of time required for transaction approval. They did not trust being redirected to a different webpage to authenticate, and many had trouble remembering their passwords. Shopping cart abandonment caused merchants to lose sales. EMV 3-D Secure 2.0 was developed to address those problems.