The EMV® 3-D Secure Specification can be used to prevent unauthorised card-not-present (CNP) transactions and protect merchants and customers from exposure to fraud globally. The European payments community can leverage these features to comply with the Payment Service Directive 2 (PSD2) Strong Customer Authentication (SCA) regulation. In this post, Bastien Latge explains how EMV® Specifications adapt to support regional needs and how localised regulations can drive enhancements that benefit the wider payments industry.
EMV® Specifications are designed to be flexible and can be adapted to meet national payment requirements and accommodate regional regulations. We constantly encourage input through the EMVCo Associates Programme to allow industry participants, including issuers, acquirers, payment networks, merchants, manufacturers, technology providers, and testing laboratories from countries across the world, to offer technical and business insights. And, beyond its Associates programme, EMVCo extensively engages and collaborates with a multitude of industry bodies and associations. All of which, allows us to update and evolve the specifications in line with current needs globally.
The ability of EMV® 3DS to support the payments community in Europe to fully satisfy the SCA requirements as described in the PSD2 regulation is an example of this.
Its European Appeal
EMV® 3DS details a messaging protocol that enables cardholders to authenticate themselves with their card issuer when making CNP e-commerce purchases. ‘3-D’ relates to three domains which consists of the: merchant / acquirer domain, issuer domain, and the interoperability domain (e.g. payment systems).
The additional security layer it provides helps prevent unauthorised CNP transactions and protect the merchant and consumer from exposure to CNP fraud.
EMV® 3DS supports SCA by enabling the use of two-factor authentication. Its flexibility allows issuers to accommodate their authentication preferences, and using risk and regulatory factors, issuers decide how the customer will be authenticated, for example, using a one-time-passcode, knowledge-based questions or biometrics, to list a few.
Listening to the business and technical needs of the European payment community, the latest version of the EMV® 3DS Specification (version 2.2) goes even further and offers enhanced support for specific PSD2 requirements. This includes support for PSD2 exemptions which allow merchants to communicate to issuers that SCA may not be needed or has already been achieved for that transaction. For example, a merchant may request a low-value exemption to the issuer as part of the authentication process.
The European Banking Authority (EBA) Opinion published on 21 June 2019, recognised that protocols such as EMV® 3DS provide a means for merchants and issuers to support the use of SCA.
A Global Offering
EMVCo doesn’t mandate the use of its specifications or set regulations. Our focus is to work with the payment community to ensure that the EMV® technical specifications are optimised and supportive for their needs. As payments are global, EMVCo also strives to ensure that all specifications can be adopted and used in different marketplaces worldwide. Different regions and actors adopt and implement the features relevant to them.
So, while the focus on the EMV® 3DS Specification in Europe has been more prominent due to the PSD2 SCA requirements, it is a global specification that can support customer authentication in CNP payments across a multitude of different authentication scenarios. The regulation deadline in Europe, however, has driven this work to benefit all and encourage a range of additional features.
For example, EMV® 3DS can authenticate cardholders across all e-commerce channels and connected devices, promoting customer familiarity, convenience and security. This enables merchants to implement a consistent approach across multiple platforms and digital channels for cardholder authentication or account verification regardless of location.
Beyond the specification, EMVCo offers an extensive functional testing programme, with qualified test tools and accredited test laboratories, that confirm EMV® 3DS solutions will perform as defined by the specification and effectively interoperate across different industries. We also specify, provide guidance on, and test the user interface, promoting a consistent user experience and consumer familiarity.
This is vital in a global payment community where authentication practices need to be active across diverse national marketplaces. These tools also enable those implementing EMV® 3DS the opportunity to rapidly extend into new regions.
Payment and technology parties are collaborating to ensure EMV® 3DS evolves in line with technical and business needs. Striving to achieve an appropriate balance between security and convenience is crucial, in a bid to offer secure, frictionless payments.
All EMV® Specifications are part of a layered security approach, as we all acknowledge that more than one approach is required to fight fraud effectively. This means that by using the extensive data available, EMV® 3DS can promote frictionless authentications when appropriate.
Other ‘layers’ include security implemented by merchants, system and software development kit (SDK) security evaluations managed by the Payment Card Industry Security Standards Council (PCI SSC) and EMVCo Software Security Evaluation. In addition to this, combined use of other technical body specification activity is also important, such as FIDO Alliance, an industry body formed in 2012 to address the lack of interoperability among strong authentication technologies, and W3C, an international community which creates technical standards and guidelines to ensure that the web remains open, accessible, and interoperable for everyone around the globe.
EMVCo, the FIDO Alliance and W3C have created an interest group to join forces and align on a vision for web payment security and interoperability. It provides an opportunity for companies outside the EMV® payment community to increase their understanding of our specifications and provide recommendations for future advancements. Current work is potentially filling gaps between existing technical specifications to increase compatibility among different technologies.
It Has To Be Flexible
Our specifications are continually evolving to meet business, operational and technical requirements. Payment industry input is continual, and happens at a global, regional and local level. The flexibility of the specifications is key, to ensure adaptability and choice is available to accommodate unique, regional marketplace needs, yet achieve worldwide commonality. Interested in joining the conversation? Learn how to participate.