All posts

Demystifying payment authentication: A comprehensive guide

Primer Product Team

Payment authentication is a crucial step in the online payment processing lifecycle. Its main objective is to help merchants verify and identify legitimate customers while stopping fraudsters in their tracks.

The role of authentication in the online payment ecosystem has become even more critical over the last five years. That’s because regulations like PSD2 in Europe have mandated that merchants employ authentication when accepting online payments. The growing risk of payment fraud globally has also brought authentication to the attention of merchants in markets where it’s not mandated yet.

Given these two trends, every merchant accepting online payments must understand how payment authentication works to ensure they create a seamless payment experience for customers without compromising payment security or falling foul of regulatory requirements.  

In this blog, we’ll go back to the basics, covering:

  • What is payment authentication, and how does it work?
  • Tools that facilitate payment authentication.
  • Why it’s critical to optimize payment authentication.

What is payment authentication?

Payment authentication is a process that aims to verify that an online transaction is legitimate. It does so by validating that the customer making the transaction is who they say they are and that they aren’t a fraudster using stolen payment credentials.

Payment authentication has become synonymous with Strong Customer Authentication (SCA), which is mandated in Europe as part of the PSD2 legislation. Similar rules apply in Brazil, India, Australia, and Malaysia and will likely arrive in more markets over the coming year.  

While payment authentication is intimately linked with SCA, merchants can use other authentication methods.

We’ll explore all of these later in the article.

How does payment authentication under SCA work?

Authenticating payments following the SCA rules allows merchants to utilize the 3D Secure protocols. This adds another step in the payment flow, challenging the cardholder to verify that they are the authorized account or cardholder by proving legitimacy using two of the following:

  1. Something they own (possession): A device like a cell phone or computer.
  2. Something they are (inherence): An identifying biometric attribute such as a fingerprint scan or facial pattern.
  3. Something they know (knowledge): A PIN, one-time passcode, password, or answer to a security question.
Did you know? Possession, inherence, and knowledge are known as the three authentication factors.

Let’s look at an example of how this works in practice using a fictitious (but legitimate) shopper in Germany called Robert and how and where payment authentication features in his payment journey with a German merchant.

  1. Robert is buying a new shirt from an online store and heads to the checkout to pay.
  2. He enters his credit card and personal details into the payment gateway. But before his transaction is approved, the merchant must authenticate the payment to verify that Robert is the genuine cardholder and not someone fraudulently using stolen card credentials.
  3. Robert’s bank will tell him whether or not he needs to authenticate himself and will typically request him to approve the transaction in his banking application. This method of authentication relies on something Robert owns—his cell phone—and something he is—his fingerprint to log into the application—or knows—a password if that’s how he accesses his banking app.
  4. Robert approves the payment in his banking app, completing the authentication step.  
  5. By mandating an additional verification intrinsically linked to Robert, the merchant is satisfied that he is a genuine shopper and approves the transaction.

How do merchants authenticate a payment beyond SCA?

There are several methods that merchants can use to authenticate payments during the payment flow. Here, we outline the most common authentication methods, how they work, and their advantages and limitations.

Address Verification System

The Address Verification System (AVS) is an authentication method to help merchants identify fraudulent or suspicious activity. AVS checks that the cardholder's billing address matches the address the issuing bank has on file for them.

The merchant receives a response code indicating whether the address matches and can decide whether to approve, decline, or investigate the transaction further before approving it.  

✅ AVS is easy for merchants to implement.

✅ AVS doesn’t interrupt or hold up the checkout process.

❌ Hackers can easily locate a cardholder’s address and use it to get around AVS.

❌ AVS can give false or partial declines, meaning merchants must use an additional authentication method.

❌ AVS is only available in select locations, such as the United States, Canada, and the United Kingdom.

Card Verification Value

Card Verification Value (CVV), also called a CVV number, is the 3-digit number printed on debit and credit cards. Online shoppers are typically required to enter their CVV number at the checkout to prove they physically have the card.  

When a buyer enters the CVV number, it’s the card issuer’s job to verify it. The merchant will receive a CVV response code indicating whether there’s a match or not.

✅ It’s quick and easy for shoppers to enter their CVV number, minimizing payment friction.

✅ CVV can prevent fraudsters from using a stolen card, even if they’ve got the victim’s credit card number and personal details.

✅ CVV numbers can’t be ‘skimmed’ by bad actors tampering with ATMs or payment terminals.

❌ This authentication method doesn’t prevent fraud if a thief physically possesses someone else’s card.

❌ Given the opportunity, a thief can write down a CVV number and use it to make fraudulent transactions later.

Challenge-Handshake Authentication Protocol

The Challenge-Handshake Authentication Protocol (CHAP) requires a user to correctly answer a secret question, for example, the name of their first pet.

With CHAP, the user has previously shared answers to secret questions, so the CHAP server has the correct response stored. This means it can instantly verify the user’s response.

Call out: CHAP generates a different question for each session, helping to keep a user’s password and secret answers protected from fraudsters.

✅ CHAP is periodically implemented during a user’s session to re-authenticate the user.

✅ CHAP helps prevent replay attacks, where a bad actor uses stolen credentials.

❌ CHAP relies on a pre-shared password, which can be compromised and hard to manage.

❌ CHAP doesn’t protect against man-in-the-middle attacks, where a fraudster impersonates a legitimate user.

3D Secure

3DS adds an additional layer to the payment flow, as explored earlier. It works by prompting buyers to confirm their identity through their card issuer. It’s a risk-based authentication method, so transactions are handled differently depending on their level of risk.

At the checkout, shoppers are asked to enter an OTP or authentication message delivered to their registered cell phone or email. This validates legitimate card ownership and gives the transaction the green light.  

✅ 3DS uses one-off codes, making this a secure authentication protocol.

✅ Deploying 3DS provides merchants with liability coverage in case of fraud.

❌ Challenging customers using 3DS can increase checkout abandonment rates if cardholders are unaware of the process or experience a clunky process.

What’s the difference between payment authentication and authorization? As we’ve explored, payment authentication is the process of identifying the legitimacy of a customer. The authentication step is typically managed by a component of the merchant's payment stack, like Primer. On the other hand, payment authorization is handled by the issuing bank, which will decide whether to authorize the payment based on a variety of factors, including the result of the outcome of the authentication process. Sometimes, the issuer may request authentication before it approves the transaction. This is called a soft decline.

Why it’s critical to optimize payment authentication

Having read this article, you’ll hopefully be familiar with the various techniques used to authenticate customers making online transactions. However, this is only scratching the surface.

Authentication is an incredibly complex space, especially since the introduction of SCA. And how you treat the concept of authentication and apply it in your payment flows will significantly impact customer conversion and revenue.

As a result, it pays for merchants to think carefully about the role of authentication in their payment flows and build strategies to ensure compliance and optimize performance to strike a balance between boosting conversion rates and mitigating the risk of fraud.

Take a look at our merchant strategies to optimize 3DS to learn more.

The smartest payment decision you’ve ever made

Connect your favorite payment and commerce services, create beautiful customer journeys and expand into new markets fast.

Head of Payments