A Merchant's Guide to Payment Authentication
The key to defeating fraud is simple: you just have to make sure the person at the other end of the transaction is who they say they are. In the online world of e-commerce, this has proven to be easier said than done.
Payment authentication is the last opportunity a merchant has to verify a customer’s identity, but the strongest authentication protocols tend to add complexity to the checkout process. For U.S. merchants, following the minimum legal requirements may not be enough to stop fraud. What is payment authentication, and how can merchants know if their methods are secure enough?
In card-present environments, human intelligence can be used to verify a customer’s identity—merchants can check the photo ID and signature of the person right there in front of them, or better yet, rely on EMV chip technology. In e-commerce, merchants don’t have those options. Payment authentication must be carried out through methods that can be verified by computer intelligence.
The need for secure digital payment authentication has only grown as demand for electronic payments has risen and usage of peer-to-peer “push” payment apps has increased. For many years, passwords have held the line as the primary way to verify identities online, but their vulnerabilities are well known by now, especially to cybercriminals. To be called secure, payment authentication requires more than just a password. That’s why many regions—including nearly all of Europe—have laid out a specific definition of strong payment authentication and made it a legal requirement.
Outside of the EU, merchants may have more flexibility about how complex they want their payment authentication process to be. Adding friction to the checkout process often comes at a cost, but it’s not always easy to strike the right balance between cracking down on fraudsters and providing a seamless, friction-free checkout experience. Fortunately, growing awareness of fraud means that consumers are becoming more accepting of stronger security protocols when shopping online.
How Does Payment Authentication Work?
Authentication is the act of providing proof that something is real, genuine. Authenticating an electronic payment means proving that the person placing the transaction has the right to access the funds they’re trying to spend. In other words, verifying that the purchaser is the same person whose name is on the card and not some fraudster. According to the prevailing theory, there are three ways to do this, called factors: knowledge, ownership, and inherence.
The knowledge factor means authentication via something the purchaser knows. Passwords fall under this category, and PINs, and the answers to secret questions like your paternal grandfather’s name or where you went to high school. This factor is sometimes called CHAP: Challenge-Handshake Authentication Protocol.
The ownership factor involves verifying identity through the use of something that only the purchaser would have in their possession. This could be their ID card, their smartphone, or a special electronic fob.
In an e-commerce context, ownership authentication is often achieved by sending a one-time code or password via SMS message to the purchaser’s cell phone number.
The last factor may be the hardest to falsify, but it can also be tricky to implement. The inherence factor relies on verifying the purchaser through their unique personal qualities like their voice, fingerprints, face, or retinas. A related (but not quite inherent) factor is user location—verifying that the purchaser and the account holder are at the same geolocation.
Any one of these factors can be used for authentication, but none of them are completely fraudster-proof on their own. Countries in the European Economic Area are under the revised Payment Services Directive which requires them to engage in “Strong Customer Authentication.” However, many merchants who are not subject to the PSD2, especially those with high rates of fraud and chargebacks, have voluntarily adopted SCA standards to better protect themselves.
What Is Strong Customer Authentication?
Per the PSD2, authentication can be considered “strong” if it relies on two or more of the authentication factors described above. A fraudster might be able to learn your password, the logic goes, or they might be able to steal your smartphone, but the chance that they’ll do both is extremely slim.
Merchants can’t ignore the threat of fraud, but preserving a good experience for your loyal customers is a legitimate concern. The wide reach of the PSD2 produces a side benefit for merchants everywhere by helping to normalize two-factor authentication processes across a vast global market.
How Can Merchants Implement Strong Customer Authentication?
Merchants can implement SCA through the use of various two-factor authentication options, such as one-time passwords sent to an email address or phone number. Outside the realm of card payments, many payment app providers are finding biometrics to be the most secure way to authenticate their users.
This utilizes the inherence factor and usually the ownership factor as well, as fingerprint scanners and face readers are activated by apps linked to the account holder’s device. There are few scenarios in which the typical fraudster can get past this type of protection.
Every merchant wants to make it as easy as possible for their customers to spend to their heart’s content. When unexpected identity verification questions pop out like a troll under a bridge, it can lead customers to second thoughts, doubts, and abandoned carts.
Merchants know their customers best and must determine exactly how much checkout friction they can get away with. However, it is vital for merchants to review their chargeback data and determine exactly how much payment fraud is getting through the gate. With two-factor authentication gaining increased usage and acceptance worldwide, merchants should remain open to new technologies that can make the payments ecosystem safer and more secure.