Why Payer Authentication Is Needed

As e-commerce developed, the number of fraudulent transactions also grew, taking advantage of the difficulty authenticating a cardholder during a transaction when the card is not present. To create a standard for secure payment card processing, Europay, Mastercard, and Visa collaborated as EMV. Other card providers wanted input on creating new payment standards, so a consortium called EMVCo was formed to enable equal input from Visa, Mastercard, JCB, American Express, China UnionPay, and Discover.
EMVCo developed 3-D Secure as the protocol to provide customer authentication during an online transaction. EMV 3-D Secure reduced chargebacks to merchants, and when the buyer was authenticated, the issuing bank assumed any liability when a chargeback occurred.
The same need to reduce fraud prompted Europe to develop a standard called Strong Customer Authentication (SCA) to regulate authentication during electronic payments. The use of SCA is mandated by the European Banking Authority in the Payment Services Directive (PSD2) that took effect in 2018 to promote and regulate the technical aspects of financial transactions between merchants and their customers in Europe. SCA requires two-factor authentication. A customer must be able to authenticate by providing two of these three factors:
  • Something the customer knows (such as a password, PIN, or challenge questions)
  • Something the customer has (such as a phone or hardware token)
  • Something the customer is (biometric data, such as fingerprint or face recognition)
Although SCA is required for almost all online transactions, some exceptions are allowed. If a payment is considered low risk, you can request an exemption from SCA to bypass authentication of the customer. The issuing bank must approve the exemption before the transaction can be exempted from SCA. Although an exemption from SCA results in a frictionless transaction, liability is not shifted to the issuing bank, and the merchant assumes responsibility for any chargeback that occurs. An exemption from SCA might apply to these types of transactions:
  • Payer authentication is unavailable because of a system outage.
  • Payment cards used specifically for business-to-business transactions are exempt.
  • Payer authentication is performed outside of the authorization workflow.
  • Follow-on installment payments of a fixed amount are exempt after the first transaction.
  • Follow-on recurring payments of a fixed amount are exempt after the first transaction.
  • Fraud levels associated with this type of transaction are considered a low risk.
  • Low transaction value does not warrant SCA.
  • Merchant-initiated transactions (MITs) are follow-on transactions that are also exempt.
  • Stored credentials were authenticated before they were stored, so stored credential transactions are exempt.
  • Trusted merchants registered as trusted beneficiaries, are exempt.
For additional information about transactions that are exempt from SCA, see the Payments Developer Guide.
EMV 3-D Secure meets the SCA mandate for authenticating the customer during e-commerce transactions.