For decades, the industry has relied on passwords to prove user identity and ensure security across various domains. In payments, as merchants face increasing pressures to comply with regulatory requirements while minimizing customer friction, the evolution of authentication technologies has become a central focus. Diverse approaches are emerging, shaped by varying regulatory demands, consumer expectations, and advancements in the underlying technological infrastructure. This movement goes beyond mere compliance and payment authentication, as merchants aim not only to safeguard against sophisticated cyber threats but also to enhance user trust and operational efficiency.
Regulation is an important point to highlight here. A framework like the PSD2 in Europe (Payment Services Directive 2) stands out as a pivotal landmark that has set a benchmark for transparency, security and consumer protection, inspiring similar approaches in other markets. In regions with less prescriptive frameworks, industry players are increasingly adopting PSD2-inspired measures and best practices to address fraud, improve authentication, and build consumer trust.
This prompts an important question about the best practices for authentication and the key trends shaping the wave of innovation in the industry. This year has been particularly interesting, with major announcements from the global card schemes aiming to harmonize security, usability, and innovation in this increasingly digital-first world. Before we dive deeper, let's first understand what we mean by payment authentication.
What is Payment Authentication?
Payment authentication is the process of confirming that a customer is who they claim to be when making an online purchase. It involves verifying the customer's identity to ensure they are authorized to use the payment method they are providing. This process helps prevent fraudsters from using stolen payment information to make unauthorized purchases.
One of the most widely recognized standards for payment authentication is 3D Secure, it is the primary protocol for complying with Strong Customer Authentication (SCA) requirements under PSD2. PSD2, the revised Payments Service Directive, is a regulatory framework by the European Union that dictates common guidelines for payment service providers in the European Economic Area (EEA).
Before moving ahead, lets first understand what Strong Customer Authentication is -
What is Strong Customer Authentication (SCA)
Strong Customer Authentication (SCA) is a requirement under the European Union's Revised Payment Services Directive (PSD2). Its main goal is to make electronic payments more secure by adding extra layers of verification. Essentially, it mandates that customers must prove their identity using at least two different authentication factors before a payment can be processed.
SCA mandates that customers confirm their identity using at least two of the following three factors:
- What you have: This could be a device like a smartphone or a hardware token.
- Who you are: This refers to biometric identifiers like fingerprints or facial recognition.
- What you know: This includes passwords, PINs, or answers to security questions.
The role of 3DS as an SCA Enabler
3D Secure (3DS) under PSD2.0 is a security protocol that plays a crucial role in meeting the Strong Customer Authentication (SCA) requirements. Think of 3DS as a set of tools that helps implement SCA for online/card-not-present transactions.
3D Secure is a widely adopted authentication protocol that helps satisfy the SCA requirements. It adds an extra layer of security by prompting the cardholder to verify their identity with their card issuer during an online purchase
Payment Authentication Methods under 3DS
These are the specific ways the cardholder's identity is verified, leveraging the "two out of three" SCA factors:
One-Time Passcodes (OTPs): Codes sent to the cardholder's registered mobile phone via SMS or generated by an authenticator app (possession).
Biometric Authentication: Fingerprint scanning, facial recognition, or voice recognition (inherence), often integrated within banking apps.
Static Passwords/PINs: While less emphasized in newer versions due to security concerns, they can still be a knowledge factor in some implementations.
Knowledge-Based Authentication (KBA): Security questions (knowledge), though their use is also decreasing due to security weaknesses.
Push Notifications: Approval requests sent to the cardholder's banking app (possession), often combined with biometric authentication within the app (inherence).
Hardware Tokens: Physical devices that generate time-based codes (possession).
Security checks beyond 3DS during payment authentication flow
Address Verification System (AVS)
For merchants, Address Verification System (AVS) acts as a security measure to fight credit card fraud. Essentially, AVS checks if the billing address a customer provides during a purchase matches the address the card issuer has on file for that account.
Here's how it works: When a merchant performs an AVS check, their payment gateway sends the numerical parts of the customer's billing address (like the street number and postal code) along with the card details to the customer's issuing bank through payment networks like Visa or Mastercard. The issuing bank then compares these numbers to the address they have recorded for that card and sends back an AVS response code to the merchant. The merchant uses this code, along with other fraud prevention methods, to decide whether to approve or decline the purchase.
AVS adds a layer of security by confirming the knowledge of information associated with the legitimate account holder. AVS makes it significantly harder for fraudsters to complete a transaction which helps merchants to reduce the number of fraudulent transactions that would later result in chargebacks.
However, AVS can sometimes lead to false declines. For instance, if someone uses their work address for a purchase, the AVS might flag it as a mismatch. Additionally, AVS is less effective in areas without consistent address formats. A major limitation is that standard AVS usually only verifies the numerical parts of the address, not the street name, city, or state.
Card verification value (CVV)
The Card Verification Value (CVV), a three- or four-digit security code printed on credit and debit cards (usually on the back for Visa and Mastercard, and on the front for American Express), is a key feature in reducing fraud for transactions where the physical card isn't present (CNP).
When a customer makes an online purchase, they're asked to enter CVV along with other card details. The payment gateway then securely sends this information through payment networks like Visa and Mastercard to the issuing bank. The issuing bank runs a cryptographic check on the CVV and sends back a verification code along with its decision to approve or decline the transaction.
CVV serves as a proxy for proving physical card possession at the time of the CNP transaction. This makes it harder for fraudsters who might have stolen the card number and expiry date (from a data breach, for example) from using a card, ultimately helping merchants reduce the number of chargebacks filed by legitimate cardholders.
Geolocation
It’s a process of determining the geographic location of the electronic device (like a smartphone, computer, or tablet) being used to initiate a payment transaction using the IP address. It is a risk assessment factor to help verify the legitimacy of the transaction and prevent fraud. It aims to check if the transaction is originating from a location consistent with the legitimate cardholder's known patterns or profile
When a customer initiates a transaction, their transaction location is compared against various data points like billing address, shipping address, historical user behaviour, etc. A transaction is flagged when there are anomalies like Impossible Travel or High-Risk Geographies. A transaction flagged as high risk might require a strong authentication such as a 3D secure payment authentication.
Geolocation helps in enhancing the fraud detection by adding a valuable context to transactions, enabling more accurate risk scoring. This helps merchants in potentially reducing the amount of chargebacks.
How is Payment Authentication different from Payment Authorization
While the terms "payment authentication" and "payment authorization" are often used interchangeably, they represent distinct processes in a payment transaction:
- Payment Authentication: Focuses on verifying the identity of the person making the transaction to ensure they are who they claim to be.
- Payment Authorization: Usually occurs after payment authentication and involves checking if the customer has sufficient funds or credit available to complete the transaction.
If payment authentication fails, the transaction will not proceed to the authorization stage, and the payment will be declined. The customer may need to verify their identity or provide additional information to retry the payment.
Both processes are essential for secure online transactions. Authentication prevents unauthorized payments, while authorization ensures that merchants receive payments for completed orders.
Industry-Specific Authentication Challenges
Mobile-First Ecommerce
Mobile-first eCommerce businesses face unique challenges in providing a seamless yet secure user experience. Any friction in the authentication process can result in high cart abandonment rates. A white paper by Phocuswright & Cybersource highlights that 53% of users abandon their cart if the checkout process is too complex, particularly when multiple authentication steps like passwords or SMS OTP are required. This is a significant concern as more bookings move to mobile platforms but mobile fraud is on the rise (as per a report by BioCatch, the occurrences of fraud using mobile devices increased from 47% in 2022 to 61% in 2023 in the North America) with travel-related apps seeing a 15% increase in fraud incidents YoY. To address these challenges, merchants are increasingly turning to biometric authentication and device-binding, which integrate directly into apps, allowing for secure and frictionless checkouts.
High-Value Transactions: Airlines
Airline transactions often involve significant personal and payment data. Also, due to the high value of the transactions- these transactions are a frequent target for fraud. Airline carriers reported that 3.8% of bookings are rejected or canceled due to suspected fraud. To add to this churn, 1.2% of airline revenue is lost to fraud.Hence, airline carriers have adopted next generation fraud management and authentication systems to keep a balance between security and customer experience. The ability to securely process cross-border, high-value bookings with minimal impact on user experience is key to maintaining customer trust and loyalty in the airline sector. As a result, airlines are increasingly turning to biometric verification and adaptive authentication.
App Intensity Overload in App-Heavy Ecosystems
As mobile app ecosystems expand, users are experiencing "app intensity overload," where constant authentication requests create fatigue, especially in app-heavy sectors like eCommerce and finance. Studies show that users expect streamlined, password-free experiences, and friction caused by complex or repeated authentication steps often results in cart abandonment and disengagement. The customers are leaning towards digital payment solutions like Click to Pay (CTP) and passkeys, which leverage device-based biometrics to reduce friction in the payment flow.
Balancing Fraud with Friction
Authentication serves as a critical gateway to security. While it does not guarantee the authorization of transactions, it instills confidence in merchants that they are engaging with genuine customers. This means that when an authentication fails, the transaction should typically be declined to prevent potential fraud. Customers may be prompted to retry or use alternative verification methods, but repeated failures often lead to a hard decline or flagging for review.
To put this into perspective, according to industry studies, U.S. retailers face an average of $2.94 for every dollar lost to fraud due to compounded expenses, including operational overhead and lost merchandise when fraudulent activities occur at any stage of the transaction lifecycle. The need to prevent these losses drives companies to prioritize security measures, sometimes at the expense of user experience.
Ironically, implementing multiple layers of security can lead to authentication friction, frustrating legitimate users who value convenience. The friction can arise from delays in receiving one-time passwords (OTPs), which disrupt users needing to input them for every transaction or login attempt. Similarly, device recognition challenges create additional barriers, requiring users logging in from new or unrecognized devices to complete extra identity verification steps even for legitimate activities. Cart abandonment rates can be as high as 25% due to the added steps in the authentication process, with studies suggesting that just one second of delay could reduce conversion rates by up to 7%.
These hurdles are common occurrences. For businesses, particularly in the eCommerce sector, this isn't just an inconvenience; it's a critical issue. Margins are often thin, and losing potential customers because of one additional step during checkout can be financially crippling.
This underscores the delicate balance businesses must strike between implementing robust security measures and maintaining a seamless, user-friendly experience.
Optimize Payment Authentication with Juspay
Juspay has been at the forefront of solving payments ops. for over 12+ years providing enterprise-grade products, solutions and support . We aim at unifying complex, diverse & innovative payment ecosystems and making payments seamless for the end users.
The Juspay Authentication suite is a modular, standalone service that helps merchants gain visibility into authentication performance, ensure compliance, improve user experience, and stay future-ready - all with minimal technical efforts. Juspay offers a unified authentication SDK/API for any authentication mode. It helps merchants manage all their 3DS servers under one integration
Benefits of Juspay’s Payment Authentication Suite
Modular Service - Merchants do not need to overhaul their existing payment stack. Juspay’s authentication suite can be used only for payment authentication, and even selectively for specific features or products.
Easy Integration - Juspay’s payment authentication suite offers client SDKs in multiple languages and native authentication SDKs to handle frontend operations smoothly with minimal technical efforts.
Payment Service Provider(PSP) and Authentication Provider Agnostic - Juspay’s payment authentication suite works independently of PSPs or authentication providers. Authentication and authorization are decoupled, and any PSP can use the authentication response given by the authentication service for authorization.
Future-Proof Architecture - The SDK and APIs are designed to support future product integrations. With a single integration, merchants can add new features with no code changes - just simple dashboard configurations. Juspay’s payment authentication suite can handle authentication with external providers, acquirers, card network and issuer products.
Out-of-the-Box Compliance - Juspay’s payment authentication suite ensures global compliance by adapting requests to meet specific market regulations. Merchants can send the same request across markets, and Juspay will handle the compliance logic in the background.
Granular Control - Merchants have full control over how payment authentication is executed, within the boundaries of regulatory compliance. Juspay’s payment authentication suite provides multiple levers to the merchants to control the authentication behaviour of the transaction. This allows merchants to implement their own strategy safely.
Rich Data and Analytics - Juspay’s payment authentication suite offers rich non-sensitive authentication data to merchants, enabling them to gain insights into their authentication flows. An advanced analytics dashboard provides merchants with data across dimensions like market, issuer, network, and user segments. This visibility helps merchants fine-tune strategies and improve conversion rates.
Customizable UI - Juspay’s payment authentication suite offers flexible UI customization options, allowing merchants to seamlessly align the checkout experience with their app’s look and feel. From theme and background color to font and button styles, the SDK makes it easy to blend the authentication UI into the overall user interface.
Conclusion
As payment authentication continues to evolve, merchants need a solution that’s not only compliant and secure but also flexible and data-driven. Juspay’s payment authentication suite offers just that - empowering merchants with visibility, control, and scalability. In an era where seamless payments drive conversion and loyalty, investing in the right payment authentication strategy is no longer optional - it’s essential.
