The existing hierarchy and emerging dynamism of payments authentication

Verification has its place

Mypinpad has been working with a major European transport operator to enable it to verify that all their passengers have valid tickets before travelling. In this system, you pre-buy your train ticket and download it onto the operator’s consumer app, attaching a credit or debit card to your account to complete all ticket purchases.

Then, instead of showing a valid electronic train ticket to a reader at the gate or turnstile, you simply tap the credit or debit card that you bought that e-ticket with. In this way, the operator not only knows you are the person that bought that valid ticket, but also that you have the payment card which paid for it.

If the valid e-ticket has not been purchased in time, it’s still possible to buy a ticket via the operator’s consumer app at the point of travelling, again using that same pre-verified card attached to the consumer app.

Verification is adequate when you are validating relatively small, recurring and often highly repeatable transactions. I call this ‘1.5 factor’ authentication as the operator or merchant is able to establish that the customer has a valid ticket and also holds the card that paid for it.

Multi Factor ‘Strong Customer Authentication’

Readers will know from their own experiences the rapid roll out of ‘2FA’ (second factor authentication) and ‘MFA’ (multi factor authentication) is required to access their bank account and other high value accounts.  The idea behind this is not to rely solely on username and password whenever logging into sensitive accounts.  The ‘factors’ can be classified into:

• Something you know (such as a PIN, a password, or the answer to a security question)
• Something you have (such as a credit card or a device, such as a smartphone or a credit card), and/or
• Something you are (a biometric such as a fingerprint, face pattern, voice pattern or gait)

Quite simply, the more factors involved in an authentication process, the more likely someone is who they claim to be. So, as part of necessary increased digital security in our daily lives, Strong Customer Authentication (SCA) is increasingly demanded.

The 2019 EU Revised Payment Services Directive (PSD2) required that a minimum of two factor authentication be applied for purchases across Europe and the UK. And as of last year, PSD2 was extended to all online card payments within the European Economic Area (EEA). So, even if your business isn’t based in Europe, you’ll still have to comply with PSD2 legislation if you do business with European companies or have a presence in the EEA.

As a quick reminder, some of the specific strategies merchants and card issuers are using to authenticate payments today include:

• Sending a one-time password (via email or SMS) which the customer must enter to complete the transaction, or issuing a push notification perhaps to the card issuer’s mobile app.
• Requesting the customer enters the PIN code or password for their mobile banking app or the account they hold with the merchant.
• Biometric verification: requesting that the customer scans their fingerprint, face, or speaks into their device to authenticate the payment.

Where mistakes are made though is when factors may on the surface look independent, but in reality are not.  If a person is logging into a website on a phone using standard username and password, an SMS sent to that same phone must be considered quite weak security in the scenario that the attacker has control of that device. Furthermore, when implementing security systems, one has to understand when they are actually authenticating a device rather than the human user.

Those factors which are temporary in nature and change frequently (such as a one-time code that is valid for 30 seconds), are inherently stronger than data that is permanent as well as widely known and stored (such as an address, mother’s maiden name or phone number).

Authentication user journey

So, what does the typical authentication journey look like today? You go to your favourite online retailer. You log into your pre-registered account using your email address and PIN or password (proof of knowledge), before the retailer sends a one-time code via SMS. This arrives on your iPhone (proof of possession) before you go back to the online basket to checkout.

Before the transaction goes through, you are asked to verify your identity through the facial recognition technology on your phone (proof of inherence i.e. proof that is inherent to you). You oblige and the payment goes through.

Typically, merchants and card schemes don’t use all these strategies – or ask for all three factors to be satisfied in a single transaction. However, they’ll use at least one, and – unless they’re SCA-exempt – will be obliged to employ a minimum of two of the above factors in combination. SCA requires you to authenticate your customers using at least two of the three authentication factors we discussed above: knowledge, possession and inherence.

Protocol landscape

Let’s unpack some of 2024’s most widely used payment authentication protocols in a little more detail. They are 3-D Secure (3DS), Address Verification System (AVS), and Card Verification Value (CVV).

3DS

3DS or 3-D Secure – is a payment authentication protocol developed by major card networks such as Visa (Verified by Visa) and Mastercard (Mastercard SecureCode).It’s the most common form of SCA. So, it’s a way of complying with PSD2 regulations, and verifying your customers in a way that reduces both fraud and friction simultaneously.

AVS

AVS stands for ‘Address Verification System’. It’s a form of payment authentication that verifies whether the billing address the cardholder provided matches the address the card issuer’s records for that customer.

When you perform an AVS check, you essentially compare the numeric portion of the billing address (street name and post code) the customer entered when attempting to make a purchase with the address associated with that bank account.

The AVS check then generates a result code, indicating either an exact match, a partial match, or no match at all (an AVS mismatch). Based on the outcome, you can either pass the transaction as legitimate, or request further authentication from your customer.

AVS is a basic tool in fraud prevention and is not foolproof.  AVS checks only verify the numeric portion of the address – not the postal town or street name. What’s more, AVS only applies when the cardholder’s address is in the US, the UK or Canada. So, it’s not as effective a fraud detection tool if you do a lot of your business overseas.

CVV

CVV stands for ‘Card Verification Value’. CVV is a form of payment authentication that helps verify a transaction’s legitimacy by looking at the three- or four-digit security code located on the back of most credit and debit cards (including Mastercard, Visa, and Discover), or on the front of American Express cards.

CVV checks are particularly important in card-not-present transactions, where – unlike with card-present transactions, such as those made in store – it’s harder to verify that the person making the payment actually has access to the card.

Similarly to AVS checks, asking your customer for the CVV code on their card when they come to make a purchase allows you to cross-reference the code they’ve provided with the one their bank has on file. If there’s a mismatch, it could indicate potential fraud – although the CVV response code provided will give you more information as to the underlying reasons behind the check’s outcome.

Step-up Authentication

However, what is interesting about the way authentication is evolving is the increasing dynamism of authentication systems that we are now configuring for some of our major customers.

Step-up Authentication (SA) is a proven way to strike a balance between security and friction. It ensures users can access some resources with one set of credentials but will prompt them for more credentials (normally requiring a third authentication factor) when personal transaction ‘behaviour’ norms are breached.

So, in most cases where transaction size looks to be in the ‘normal range’ and it is being completed via a smart device which is located in the country it is normally in, then two factor authentication (2FA) suffices. However, if  you were to make a request to wire several thousand dollars to a bank account in North Africa from a device located in a country you are not normally in, that might trigger ‘Step-up Authentication’ (SA) resulting in a request for another factor of authentication to prove you are who you say you are, and that your phone hasn’t been stolen or hacked into. That may include one of the above ‘proof of inherence’ factors like facial, iris or fingerprint scan, or by requiring secure PIN entry.

We are seeing increasing demand for SA deployments to dynamically adjust authentication levels according to the degree of risk associated with specific transactions. It’s a relatively new development which makes sense in a world where device thefts, combined with digital identity theft is sadly becoming more common place; while transaction history analysis can be run ‘on the fly’ using AI to spot potential transaction anomalies and increase authentication requirements dynamically to combat the increased risk associated with those anomalous transaction.