New authentication channel a game-changer for online businesses
3D Secure for online payments continues to gather momentum globally. However, for some industries, real-time authentication requirements can be a significant drawback, especially those that rely on recurring, subscription or instalment card-on-file transactions. Now, a new decoupled authentication enables the same level of security as 3D Secure authentication, without requiring the user to be online at the time of the transaction.
Many online customers remain frustrated by the online payment process. This is especially true if they experience multiple authentication steps and unexpected challenge redirections from the website or app interface. Striking a balance between security and user experience is vital in order to reduce the number of abandoned transactions.
“3D Secure has really beefed up our online security, but customers are still sensitive to the challenges sometimes required by fraud engines. This could be a result of the customer making a payment from a foreign country when travelling abroad, or when the person is not immediately available to authenticate the transaction in-session for recurring subscription payments. In order to process these payments, merchants are forced to opt for less secure options. Until now,” explains Elizabeth Graham, Product Manager Payments at Entersekt.
EMVCo 2.2 has defined a new decoupled authentication channel that aims to deliver the same security as 3D Secure and benefits of liability shifts without all the restrictions.
“In a normal 3D Secure authentication, if a challenge is required, it will always be performed as part of the payment process in the app or browser the customer is using at that time. Decoupled authentication, however, allows authentication without the customer being in-session at the time of payment. This means merchants can now request the security information needed from banks even when their customers are offline and away from their device,” Graham says.
Graham goes on to say decoupled authentication also allows the merchant to set a time limit, giving the cardholder up to seven days to complete the authentication process, and it can be done on a different device than the one on which they made the transaction.
Many applications for decoupled authentication
There are many instances where decoupled authentication could deliver better security than currently offered with a better user experience – although it can still be used for immediate authentication as well.
Common scenarios include recurring card-on-file and instalment payments, which can sometimes attract a challenge. In these instances, a decoupled authentication can be sent to the user, even when they are not online at the time of the transaction, and they can authenticate at their convenience.
Recurring payments could also be for fixed amounts such as news sites and streaming subscriptions, or they could include variable amounts, as is the case with monthly mobile top-ups.
“Some subscription-based services run their card on file payment transactions at odd times due to time zone differences, and the issuer could decline these because their risk tools might assume fraud since many of these transactions are currently taking place without 3DS. Now, if a merchant and issuer implements decoupled authentication, we could avoid these false declines, allowing the cardholder to approve the transaction when it suits them and within the period set by the subscription service,” Graham says.
Other recurring payments could include a mixture of fixed and variable amounts or even payments that have a fixed limit or threshold.
Decoupled authentication allows merchants to bypass complex SDK integrations, while still enjoying a consistent end-to-end experience. This option also allows them to avoid relying on issuers’ challenge screens, and will save them time and development costs. The user experience can also benefit from the technology with the major card schemes noting that the challenge success rates are much lower with in-app authentication.
“Currently, mobile payments can sometimes be daunting for customers. Instead of showing the customer a challenge screen in a mobile app to ask for verification while making an online purchase, decoupled authentication would allow the merchant to send a notification that can then be authenticated through the customer’s banking app. This would deliver a better user experience and could even boost trust in the transaction. These payments could also save merchants money because they won’t have to implement challenge payments and then do extensive testing. Issuers could also benefit from the new authentication channel as they would not carry the costs of failed merchant-initiated transactions,” Graham explains.
An important use case for the new channel is the travel industry, which currently suffers from many failed transactions.
“Online travel agencies often process payments on behalf of multiple partners when they sell travel packages, each one requiring authentication. If the authentication from the hotel or the car rental company fails, it can jeopardise the package transaction. Decoupled authentication could link the authorisations together under the original airline authentication, ensuring fewer failed transactions. It is clear decoupled authentication will have a significant impact on merchants and issuers around the world, not to mention improve the payment experience for all online customers,” Graham concludes.
Entersekt ensures that digital financial transactions are frictionless and secure. The company provides a single cross-channel platform for financial services institutions to meet authentication requirements and optimize user experiences. With a range of options available for deployment and configuration, Entersekt’s solutions are fully customizable across all channels and devices. A strong track record of over ten years’ working with leading financial services institutions across the US, Europe and Africa, combined with multiple patented security innovations, has established Entersekt as global industry leader in authentication. Backed by companies like Silicon Valley-based Accel-KKR, one of the world’s top private equity firms, Entersekt continues to expand its footprint across key regions. For more information, visit entersekt.com.