FAQs during UL's webinar on EMV 3-D Secure 2.0: Boosting Customer Authentication on 21 June 2017

July 10, 2017 - UL hosted a webinar on EMV 3-D Secure 2.0 on 21 June 2017 for our Asia Pacific audience. We received quite a few questions on this topic, which we have listed and answered for you.

Q1. Why is it not possible to include an additional username and password fields together with the payment screen (where the credit card information is being asked for) initially?

The authentication step (the "challenge") is an extra layer of security performed between the customer device and the Issuer directly - via a password or one of the other authentication methods supported in EMV 3DS 2.0. It is not possible to supply the challenge screen to the customer at checkout as it is not known which issuer provided the credit card at this stage.

Q2. Do the username and password get verified by the Issuer before the payment amount is deducted?

Yes, the EMV 3DS authentication is an authentication step that happens before the authorization (payment) is performed. Based on the analysis results of the issuer, the merchant can choose to discontinue the payment.

Q3. What will happen to the existing MPI server that was used in 1.0?

Existing MPI solutions will remain for 3DS 1.0 use as long as this version is still supported.

Q4. When will the Standards for EMV 3-D Secure 2.0 be available and are they matured/complete to be implemented?

The standards for EMV 3-D Secure 2.0 as well as the specifications for the SDK are already publicly available on the EMVCo website.

Q5. Is the parameter for the risk engine set up by the issuer?

An issuer can implement the risk engine based on their perceived suitability. The EMV 3-DS specifications do not state how a risk engine should operate, providing issuers with free reign on the parameters/fields in the initial message.

Q6. Is EMV 3D Secure 2.0 with out-of-band transaction considered a CP transaction or CNP transaction?

This will still be considered a CNP transaction as the card is not present at the merchant during the time of the purchase.

Q7. How do you obtain the phone number matched to the card for authentication?

An Issuer will typically have access to their customers' information and be able to use that information as needed to perform an authentication challenge. The Issuer could send a SMS One-Time Pass (OTP) to the customer's phone number in their system. In the case whereby the mobile phone number is unknown, another challenge method will be utilized.

Q8. What is FIDO and what is their responsibility?

The FIDO alliance is a non-profit organization formed to bridge the interoperability gap between strong authentication devices. It also strives to address the problems that users face with creating and remembering multiple usernames and passwords.

FIDO offers both a Universal Authentication Framework that makes use of authenticators on the hardware like biometrics, and a Universal Second Factor authenticator which uses a dongle and short password to authenticate the user. In EMV 3-D Secure 2.0, one of these methods can be used as a form of Out-Of-Band (OOB) authentication for instance.

Q9. If no challenge is requested in a low risk transaction, and the transaction does end up being fraudulent, is the issuer then liable for chargeback?

Based on how 3DS 1.0 operates, that is likely to be the case. However, the exact rules on this have not been published yet for EMV 3DS 2.0.

Q10. Is the risk calculation done in real-time or is it derived by predefined fraud rules?

The issuer will have to determine the risk level of each transaction almost in real-time. This can be achieved either by establishing a predefined set of fraud rules, or through a real-time analysis of the incoming data.

Some solutions leverages on machine learning or AI algorithms that continually adapts to the data received.

Q11. Will Version 1.0 and 2.0 be supported at the same time (initially)?

It is likely that there will be a period when both versions will coexist to ensure a smooth transition between the two versions.

Q12. When are the mandate dates for the issuers?

Currently, only VISA has published information on their plans to extend current merchant chargeback rules to include EMV 3DS 2.0.

Q13. Why would an issuer choose to not challenge and therefore not have a repeat of 3DS 1.0?

One of the advantages of EMV 3DS 2.0 is the possibility to provide a frictionless experience to the customer. In this frictionless flow, no challenge is required for the customer - making the customer journey smoother compared to, for example, a previous implementation that required a password.

Q14. Are there any mandates on the type of authentication to be used?

Currently, there are a number of supported authentication types. These range from SMS One-Time-Pass (OTP) to Knowledge Based Authentication (KBA), and even Out-of-Band authentication where an issuer is free to develop a custom authentication beyond the usual 3DS flow. The use of a password while still allowed, is highly discouraged.

Join UL's EMV 3-D Secure 2.0 Masterclass, for a deep-dive into the newly released specifications. Prepare yourself for the changes, the impacts and take advantage of the new features. click the link for course dates and for further information.