Finance glossary

What is payment authentication?

Bristol James
6 Min

Payment authentication is the process of verifying the identity of a customer before an online payment can proceed. This ensures that the person who wants to make a payment is the legitimate cardholder and not a fraudster.

Banks, merchants and payment service providers rely on five core factors to authentic payments:

  1. Something the cardholder knows (knowledge).
  2. Something the cardholder has (possession).
  3. Something the cardholder is (inherence).
  4. Somewhere the cardholder is (location), and
  5. Something the cardholder does (behaviour)

In the process, payment authentication factors help businesses avoid several types of online payment fraud. These include identity theft, chargeback fraud, card testing, marketplace fraud and refunds to an alternative payment method.

How does payment authentication work?

Let’s return to the five core factors above to explain how payment authentication works in practice.

Customers will be asked to verify their details for at least one of the payment authentication factors, with tools such as multi-factor authentication requiring two factors.

1 – Knowledge

The most common type of authentication relies on something the customer knows and that they alone should possess. Examples include account passwords, PINs and the answers to security questions.

2 – Possession

Possession-based authentication involves verifying that the customer has access to an object, device, key, certificate, token or signature.

Payments made with a physical credit or debit card require the user to know the card number, expiration date and CVV code. Other providers may ask the customer to confirm a one-time password (OTP) via phone or email.

3 – Inherence

Inherence verification is one of the most sophisticated of the authentication types and relies on biometric data to verify the customer.

Services such as Apple Pay and Google Pay use facial recognition and fingerprints as part of their authentication process. Australia Post’s Digital iD app also uses facial biometrics to verify customers with a range of partner organisations.

Inherence is a popular form of authentication, with Deloitte reporting in 2019 that Australians were already making an estimated 100 million imprints a day using smartphone fingerprint scanners.

4 – Location

Location-based authentication takes the geographic location of the customer into account. This process is mostly supplemental and provides an extra layer of security in specific contexts such as mobile banking and eCommerce.

When a customer initiates a smartphone payment, for example, the payment provider can track their location via GPS, WiFi or cellular data. If the location of the buyer is considered high-risk or not where they typically make payments, additional authentication may be required.

Location-based authentication may be one way to combat card-not-present (CNP) fraud, which was responsible for $608 million in unauthorised transactions on Australian cards in FY23.

Behaviour

Behavioural authentication verifies a customer’s identity based on their unique behaviour patterns.

Behaviour-based factors are less prevalent than the more traditional authentication types. But there exists tremendous potential with machine learning algorithms able to analyse hundreds or even thousands of parameters on human behaviour and detect anomalies.

To that end, behavioural authentication leverages various aspects of a user’s interactions with their device. Some solutions measure the press size and pressure of touchscreen behaviour as well as the speed and scroll patterns of mouse activity.

Other more well-known applications include algorithms that analyse historical spending behaviour to better identify abnormal payments.

Payment authentication with biometrics
Some of the numerous ways human-device interactions can be analysed in behavioural biometrics (Source: BioCatch)

Payment authentication tools

Various protocols and features authenticate payments and protect businesses and consumers alike. Many have been developed or refined in response to the increased prevalence and sophistication of payment fraud techniques.

3D Secure 2

3D Secure 2 (3DS2) is a payment authentication protocol used by Visa (Visa Secure), Mastercard (Identity Check) and American Express (SafeKey) to combat fraud and chargebacks.

The protocol helps providers comply with Strong Customer Authentication (SCA) requirements, which are outlined in the European Union’s Revised Payment Services Directive (PSD2).

SCA mandates the use of multi-factor authentication for certain types of electronic payments. To that end, the 3DS2 protocol must verify at least two of the three authentication factors in knowledge, possession and inherence.

3DS2 is the most common authentication method in Europe, and though its use is not legislated in Australia, many banks and other companies that deal with cross-border transactions have adopted it.

Address Verification System (AVS)

The Address Verification System is another payment authentication method with a particular focus on the prevention of credit card fraud.

The system – which is predominant in the US, UK and Canada – authenticates payments by verifying whether the billing address used in a transaction matches the address of the cardholder.

As such, AVS is commonly used to detect fraud in online payments and other contexts where a card is not present, such as mail order/telephone order (MOTO) payments.

In most cases, a request for address verification is sent with the payment request to the bank where the card is held.

The bank then checks the address provided with the one it has on file and returns a specific AVS code that indicates a full match, partial match or no match, among other results.

Based on this code, the seller can decide to approve the order, cancel it or investigate further.

Card Verification Value (CVV)

The Card Verification Value is a payment security feature that is also prevalent in card-not-present (CNP) situations.

The CVV – more commonly known as the CVV number – is a three to four-digit number printed on the back of a debit or credit card (or on the front for American Express). In either case, buyers must enter this number at checkout to prove they have possession of the card.

In a similar way to AVS verification, merchants compare the CVV code provided by the customer with the code their bank has on file. Discrepancies may indicate that the buyer does not have physical possession of the card and the transaction is potentially fraudulent.

EMV

EMV (Europay, Mastercard and VISA) is a payment standard that enhances the security of debit and credit card transactions at a physical point of sale. It was developed by EMVCo – the same company responsible for development of the EDS2 protocol.

Authentication is achieved with a chip embedded in the card that generates a unique, one-time-use code for each transaction known as a cryptogram.

The cryptogram is then sent with the payment details to the card issuer before the card issuer decrypts the cryptogram to authenticate the transaction.

The use of a unique cryptogram is the cornerstone of EMV security. Unlike static data in traditional magnetic stripe cards, the data contained in a cryptogram is virtually impossible for fraudsters to steal and clone onto a new card.

The challenges of payment authentication

Payment authentication faces many of the challenges inherent to the finance and cybersecurity industries.

Fraudsters pose the most obvious risk, and as authentication methods evolve, so do the tactics they employ to bypass them.

Some criminals use malware to compromise authentication systems themselves, while others use social engineering and phishing to steal personal information from customers and make unauthorised purchases.

Businesses that operate in multiple countries are also subject to different laws, requirements and systems, which increases the complexity and cost of both compliance and integration.

On the merchant side, the payment experience for customers can also be problematic. Multi-factor authentication protocols can add friction to the checkout process and may cause cart abandonment and customer dissatisfaction.

Business payment security with Eftsure

In the B2B space, thousands of businesses in Australia and the US trust in Eftsure’s payment verification technology to provide peace of mind when processing vendor and supplier payments. We provide businesses with the tools to prevent payment fraud, onboard new vendors and manage the accuracy of existing vendors’ banking and compliance data.

In summary:

  • The main objective of payment authentication is to verify online transactions and ensure that the individual attempting to make a payment is also the legitimate cardholder.
  • Five authentication factors aid in the process: knowledge, possession, inherence, location and behaviour. Inherence and behaviour-related factors utilise biometric data and machine learning algorithms respectively and hold the most promise.
  • 3D Secure 2 (3DS2) is a payment authentication protocol that meets stringent authentication requirements in the European Union. Though its use is not compulsory in Australia, many companies use it for the extra layer of security that it provides.
  • Payment authentication is effective but not without its challenges. Fraud and scams remain an ever-present risk, and global businesses may find compliance with different requirements complex and expensive.

 

Related articles

Finance glossary

What is a sanctioned entity?

A sanctioned entity is a company, country, or individual that is prohibited from conducting business in a certain jurisdiction. In many cases, …

Read more
Finance glossary

What is a Refund Rate?

A refund rate, also known as a return rate, is a financial metric that retailers use to track how much of their …

Read more
Finance glossary

What is CSR?

Corporate social responsibility, known as CSR, is a business model that holds companies responsible to themselves, their stakeholders, and the general public. …

Read more

The new security standard for business payments

End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.