Payment Authentication

What Is Payment Authentication?

Payment authentication is the process of verifying that a payment is legitimate, with the customer confirming their identity as part of the transaction process.

The obvious example of payment authentication in action is the global 3-D Secure (3DS) system, where a cardholder must authenticate themself when making a transaction. This is a huge and growing industry. According to Fortune Business Insights, the global 3-D Secure pay authentication market had a value of $1.05 billion in 2022. That is expected to grow to $2.81 billion by 2030.

Authenticating a customer at the point of purchase makes life harder for fraudsters, money launderers, and other financial criminals. Authentication can be based on several factors (more on those in a moment), each designed to ensure that only a genuine cardholder can complete the authentication process successfully.

While payment authentication supports financial and data security, it can introduce friction into the customer experience. This is something that businesses need to consider carefully, as it can lead to increased rates of cart abandonment and customer churn.

The Challenge-Handshake Authentication Protocol (CHAP) is often discussed in relation to payment authentication. However, this method of authentication, which relies on asking the user for information that only they would know the answer to, is usually used for log-in authentication and not real-time payment authentication.

How Does Payment Authentication Work?

Payment authentication works by using at least one of the following factors during a transaction to verify that the person making the payment is who they claim to be – personal knowledge (such as the name of the payer’s first pet), ownership, user location, or physical features. Each of these factors works in a different way, and each has its own advantages.

Using knowledge as part of payment authentication relies on a piece of information that only the cardholder should possess. This can range from personal details (such as your mother’s maiden name) to passwords and PINs. The idea is that only the right person can authenticate the payment.

Ownership, meanwhile, involves using something that the cardholder has in order to authenticate a payment. This could include a token, a key, a certificate, or even a signature. A common example is the CVV number on the back of a credit card, to which only the cardholder should have access.

An alternative is to use the cardholder’s location at the time of the purchase. If GPS shows that the computer or mobile used by the cardholder is the same location as their registered address, the authentication will be successful.

Finally, payment authentication can use the cardholder’s unique physical features to authenticate a transaction. Biometric verification usually uses voice, fingerprint, retina, or facial recognition to identify the person making the payment.

Payment Authentication Methods

For maximum security, you can use a combination of factors to authenticate payments. Multi-factor authentication requires the cardholder meet at least two authentication challenges, usually based on something they know, something they possess, and an inherent physical feature.

We can break these factors down into detailed authentication methods.

One-time passcodes: Sent via SMS, these unique codes that the cardholder enters to authenticate their payment. They are easy to use and usually time-limited. One-time passcodes are widely accepted by security protocols, as they are a well-established method of payment authentication.

Yet being well-established doesn’t mean that they are always the best form of authentication. A network outage or the cardholder being in a blackspot could prevent them from receiving the SMS with the code in time to complete the transaction. There is also a security risk posed by criminals who steal mobile phones or carry out SIM swapping attacks, where the hacker gains access to all of the victim’s calls and texts.

The other pitfall in one-time passcodes is that they are not fully compliant with PSD2, a European regulation covering electronic payment services in Europe.

QR code authentication: This works by the customer scanning a QR code using an authenticator app on their smartphone during the transaction. While this is also easy to use, fewer people are familiar with it, which can add friction during the purchase process.

Biometric authentication: This robust and increasingly popular method of authentication scans the user’s fingerprint, retina, or face or uses vocal recognition to verify the individual’s identity. It’s simple, fast, and hard for fraudsters to spoof (though not impossible).

Push notifications: These are another well-established method. It involves sending a notification to the cardholder’s device, detailing the transaction, and prompting the individual to confirm the authentication request.

3-D Secure can use several of these methods for authenticating payments. In addition to contextual information (such as the cardholder’s location or device identification), it requires the user to verify their identity in response to an email, phone call, or text message – for example, by using a one-time passcode or a fingerprint scan.

What Is the Difference Between Payment Authentication and Authorization?

While payment authentication is concerned with verifying the cardholder’s identity, payment authorization is about ensuring the individual uses a valid payment card and that their account contains sufficient funds for the transaction. Authorization takes place after authentication, meaning that the authorization process cannot occur if authentication fails.

Payment authorization involves communication between the merchant’s acquiring bank and the card issuer. The card issuer has to send an authorization code to the merchant’s acquiring bank before the transaction can be completed. This code usually consists of two digits or one digit and one number.

Different codes have different meanings, with some authorizing the payment to proceed and others resulting in it being declined (for example, if the cardholder doesn’t have sufficient funds or the card has been reported as lost or stolen). One further payment authorization then takes place, enabling the merchant’s bank to deposit the funds from the payment into the merchant’s account.

With both payment authentication and payment authorization, security is paramount. So is minimizing friction. Too many hurdles could result in the customer abandoning the transaction. Yet, having too few could open the door to fraudsters. It’s a fine balance for retailers to balance while also satisfying regulatory requirements around data security, anti-money laundering, and the like.

The Importance of Biometrics in Payment Authentication

We’ve already mentioned the growing popularity of biometric authentication. There are several reasons for this, firstly as it’s more secure than traditional password and username authentication.

That’s not to say that biometric authentication is impenetrable (it most certainly isn’t), but it is more secure than many other types of authentication, including possession-based methods.

The other key benefit of biometrics is that it introduces only minimal friction into the purchase process. The cardholder doesn’t have to remember a password or carry an authentication device – they just need themself.

Biometrics have become an important choice for businesses focused on doing all they can to enhance the customer experience while delivering top-notch security and meeting regulatory requirements. 

What Are the Key Challenges in Payment Systems? 

Payment systems face challenges from multiple directions. Fraudsters pose a clear risk, but so does regulation, which is costly and complicated to comply with. The competitive nature of the payment processing market is a further challenge, as is the lack of cross-border standardization. This means transactions in different countries must comply with varying regulations.

Chief among these risks is fraudsters who are set on finding ever more sophisticated ways to deprive genuine customers and businesses of their funds. Payment systems must continually evolve to keep up with these changing threats, which have increased in complexity as artificial intelligence and machine learning capabilities have expanded.

Fraud-fighting solutions such as SEON are racing to stay one step ahead of these emerging trends, giving merchants the power to defend themselves and their customers.

Regulators are also committed to doing their part, making life harder for money launderers and those financing terrorism. This is resulting in a complex compliance environment, and merchants must therefore commit time and resources to navigate it.

Using Payment Authentication to Fight Payment Fraud

Payment authentication – alongside other measures such as the prevention of account takeovers – has a key role to play in fighting payment fraud. Because cardholders must verify their identity before the transaction gets as far as the authorization stage, merchants can filter out fraudsters by using Secure Customer Authentication measures.

This is why it’s so important for businesses to include payment authentication processes in their overarching payment fraud detection framework. Doing so can help merchants defend against varied forms of payment fraud, including:

• Identity theft and the use of stolen card details
• Refund fraud (or double dipping)
• Bank identification number (BIN) attacks
• Card testing
• Triangulation fraud
• Account takeover

By using the payment authentication methods we’ve discussed above, merchants can equip themselves to stop fraudsters in their tracks.

Related Terms

Related Articles

Sources