EMVCo has updated the EMV® 3-D Secure (EMV 3DS) White Paper to help banks, solution providers and merchants optimise the EMV 3DS payment authentication experience. In this post, Tabitha Odom, Chair of the EMVCo 3DS Working Group, explores what’s new.
The EMV 3DS White Paper – available in both an interactive online format and as a PDF – provides industry participants with an accessible, easy-to-use resource that aims to promote a better understanding of the EMV 3DS Specifications.
The White Paper examines the business value, technical elements, user experience considerations, and example use cases associated with key EMV 3DS features. EMVCo agreed with its Associates on a phased release of the White Paper. For the first version, priority was given to the Frictionless Flow, out-of-band (OOB) authentication, and recurring and instalment transactions.
As part of the second phase, the White Paper now covers additional topics, such as the Challenge Flow, including insight into WebAuthn, Secure Payment Confirmation (SPC) and Decoupled Authentication. Dedicated guidance on the role that 3DS message extensions and the Split-SDK play in supporting more flexible deployments has also been added.
Here is a breakdown of each new update:
Challenge Flow
There are two primary 3DS flows – the Frictionless Flow and the Challenge Flow.
The Frictionless Flow enables issuers to accept transactions without challenging cardholders. This is achieved through a real-time risk assessment, promoting a seamless shopping experience for both cardholders and merchants.
However, if a transaction is deemed high-risk by the issuer or needs confirmation by the cardholder, the Challenge Flow is triggered. This requires the cardholder to provide additional information directly to the issuer for the transaction to take place. This may involve entering a one-time passcode sent to their mobile device, or validating the transaction using their mobile banking application (known as OOB authentication).
This extra layer of authentication within the Challenge Flow increases security and helps to reduce fraud, promoting consumer confidence. For merchants, the challenge process provides valuable information on transaction patterns – as well as consumer and issuer behaviour – to improve fraud prevention strategies and balance security and user experience considerations according to their specific risk profile. In some regions, the Challenge Flow also supports compliance with Strong Customer Authentication requirements for online payments.
WebAuthn, SPC and Decoupled Authentication
The Challenge Flow is flexible to support various authentication methods to suit different issuer preferences and marketplace requirements. In addition to OOB authentication, the updated White Paper now explores WebAuthn, SPC and Decoupled Authentication:
- WebAuthn and SPC – SPC is a web standard published by the World Wide Web Consortium (W3C) that is built on WebAuthn to support streamlined authentication. Both FIDO-based WebAuthn and SPC can be used within the Challenge Flow to better determine the legitimacy of a transaction to reduce the risk of fraud.
- Decoupled Authentication – Decoupled Authentication is a 3DS feature that enables the authentication process to be performed separately from the payment transaction flow. This offers an alternative authentication method when the primary authentication method is unavailable, not possible, or fails. It also enables merchant-initiated authentication when the cardholder is not present, such as for some mail order/telephone order (MOTO) transactions and subscription payments.
3DS message extensions
EMV 3DS technology enables the exchange of data – or messages – between the merchant and the issuer to authenticate the cardholder and approve the transaction. While the EMV 3DS Protocol and Core Functions Specification defines over a hundred data elements to enable this authentication, some emerging use cases and requirements cannot be supported.
This is where 3DS message extensions play an important role by enhancing the exchange of data, without requiring a new specification version. As a result, new demands can be addressed more quickly and efficiently.
Message extensions can be defined to provide more information about a transaction to meet specific industry use cases or regulatory requirements. They can also add new functionality to the 3DS ecosystem, or improve a previous specification version.
To date, EMVCo has defined five 3DS message extensions:
- Device Acknowledgement Message Extension
- Bridging Message Extension
- Attribute Verification Message Extension
- Travel Industry Message Extension
- Payment Token Message Extension
Split-SDK
At a high level, the Split-SDK is an alternative architecture approach to the Default-SDK that divides functions between a client-side component and a server-side component.
This approach has various benefits. It streamlines development and maintenance, as most SDK updates such as bug fixes can be made on the server side. This reduces the need to push application updates to consumer devices – making it an ideal choice for merchants with large-scale mobile application deployments.
The Split-SDK architecture is also flexible to support various implementation options to simplify its use and promote a consistent user experience across e-commerce channels and platforms, including smart speakers and other Internet of Things (IoT) devices. Merchants and businesses can also leverage this flexibility to reach new marketplaces and engage with customers in innovative ways.
Enhancing EMV 3DS
The development of resources such as the EMV 3DS White Paper is part of a wider programme to enhance and simplify the EMV 3DS Specifications and supporting documentation, making them easier for stakeholders to access and consume.
EMVCo is also committed to extensive, ongoing engagement with Associates, Subscribers, industry partners and the wider payments ecosystem to evolve the EMV 3DS Specifications and supporting testing infrastructure.
by Arman Aygen
