Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Copyright ©2017 EMVCo 2Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 2
Agenda
Introduction to EMVCo
• EMV 3-D Secure Transaction Flows
• How does EMV 3-D Secure Support PSD2
EMV® 3-D Secure
EMV Secure Remote Commerce
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
Copyright ©2017 EMVCo 4Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 4
Definition of EMV®
EMV is a technology toolbox that enables
globally interoperable secure payments
across face-to-face and remote environments
EMV Payment Token
EMV Contact
EMV Contactless EMV Mobile
EMV QR Codes
EMV 3-D Secure
EMV 2nd Generation
EMV Secure Remote Commerce
Face to face Remote
Options Future proof
Wearable Device
Software Based Mobile PaymentsCDCVM
Copyright ©2017 EMVCo 5Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 5
EMVCo’s Mission and the Value of EMV®
Facilitate the worldwide interoperability of secure payment transactions by publishing the EMV Specifications and their related testing processes
EMV adoption enables the payments community to: • Support payment security and transaction risk
management
• Enhance security, interoperability and
acceptance of EMV based payments globally
• Deliver innovative payment solutions
EMV Specifications are made available on a royalty-free basis
Copyright ©2017 EMVCo 6Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 6
Roles of EMVCo and Payment Networks
What EMVCo Does
Create and publish EMV® Specifications
Facilitate testing and approval of EMV elements of products and solutions
Enhance payment security
Support specifications and testing for emerging payment technologies
What EMVCo Does Not Do (Managed by Global, Regional and Domestic Payment
Networks)
Product development and implementation certification
Mandates or compliance
Commercial incentives
Fraud liability shift policy
Copyright ©2017 EMVCo 8Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 8
EMV® 3-D Secure - Initiative Overview
• 3DS provides a secure communication channel between the Cardholder, Merchant and Issuer.
• A means of securely identifying the cardholder in an online transaction.
• A messaging protocol which enables Issuers to authenticatetheir Cardholder before transaction authorisation.
Definition
• Remote commerce is a growing segment. Transactions occurring on multiple platforms – phone, tablets, PCs.
• Merchant almost always carries the fraud liability.
• Current solutions have high degree of transaction friction.
Opportunity
• Specification that supports secure e-commerce transactions in a globally interoperable manner.
• Enhances and maintainsspecification based on industry feedback.
• Administers testing and approval process to ensure global interoperability.
EMVCo’s Role
Copyright ©2017 EMVCo 9Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 9
The additional security layer reduces fraudulent use of online credit and debit transactions by…
… preventing unauthorised use of cards online
… and protecting merchants from exposure to fraud-related
chargebacks
Three-Domain Secure (3DS) is a messaging protocol which enables Issuers to authenticate consumers during online shopping
Overview of 3DS
Three domains consist of:
Merchant / acquirer domain
Interoperability domain
Issuer domain
Authentication Messages
Copyright ©2017 EMVCo 10Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 10
• In-app purchases (covers all connected device purchases)
Support non-browser e-commerce transactions
• Enabling a smooth process for the challenge response that does not interrupt the merchant’s check-out experience
Better integration with a merchant’s offering
• Encourage frictionless authentication (where possible)
• Better use of dynamic one-time-passwords
Facilitate a cleaner experience without sacrificing security
Why a New Version of the 3DS Specification is Required
Copyright ©2017 EMVCo 11Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 11
Deliver web-based service messaging to be used across multiple platforms
Offer advance intelligent risk-based decisioning
Add support for non-payment authentication and digital wallet in addition to enriching current payment authentication flows
Align to country-specific and regulatory requirements
Additional Benefits of New Specification
Copyright ©2017 EMVCo 12Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 12
Application Based Use Case Example – Challenge / Response Flow
ACS
Issuer Payment Network
A
Acquirer
DS
Directory Server
Challenge Request/Response
Access ControlServer
AuthorisationMessage
AuthorisationMessage
MI APIs/Payment Requests
Note: Dashed arrows and Merchant Server are not part of 3DS specification and are shown for clarity only
AuthenticationRequest/Response
ResultsRequest/Response
AuthenticationRequest/Response
ResultsRequest/Response
Merchant Environment
MerchantServer3DS
SDKMerchant/MI APIs/Browser Interaction
3DS
3DS Server3DS ClientChallenge / Response Flow
Copyright ©2017 EMVCo 13Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 13
Acquirer BIN
Acquirer Merchant ID
Cardholder Account Number
DS URL
Message, Extension, Version
Acquirer BIN
Acquirer Merchant ID
Card Expiry Date
Cardholder Account Number
DS URL
Merchant Country Code
Message Category, Extension, Type, Version
Purchase Amount, Currency, Date & Time
Recurring Expiry, Frequency
More than 10 X Data
Browser User-Agent
Browser User-Agent
IP address
Browser Time Zone
Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number
Cardholder Name
SDK App ID, SDK Encrypted Data, Ephemeral Public Key
SDK Reference Number, SDK Transaction ID
3DS Requestor URL
Browser Accept Headers
Cardholder Account Information (Account Age,
Change, Password Change, Number of Transactions per Day / Year,
Shipping Name Indicator, Suspicious Activity, Payment Account Age etc.)
Cardholder Account Identifier, Billing Address
Cardholder Shipping Address
Transaction Type
Account Type
Browser Time Zone
DS Reference Number, Transaction ID
EMV Payment Token Indicator
Purchase Date & Time
Recurring Expiry, Frequency
3DS Server Reference Number, Operator ID, Transaction ID, URL
Address Match Indicator
Device Channel, Device Information, Rendering Options
Supported
Message Category, Type
Merchant Name
Merchant Country Code
Merchant Category Code
Merchant Risk Indicator (Delivery Timeframe, Re-order, Pre-order, Gift Card)
3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated
Indicator
3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information Instalment Payment Data
Browser Java Enabled, Language, Screen Color Depth, Height, Width
3DS 1.0 Data (Initial Message – VEReq) EMV® 3-D Secure Data (Initial Message – AReq)
Application Based Use Case Example – Challenge / Response Flow
Copyright ©2017 EMVCo 14Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 14
The capability to trigger a Strong Customer Authentication (SCA) when needed
Built-in support for Transaction Risk Analysis – more than 100 data elements provided
Optional indicator available to allow the requestor to indicate its preference or not for a challenge (SCA)
How does EMV® 3-D Secure support PSD2
Copyright ©2017 EMVCo 15Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 15
EMV® 3-D Secure - Future Changes for PSD2
Changes currently under consideration:
• New data element to indicate current whitelisting status (Ares and Areq)
• Ability for Merchants to communicate that their Acquirer has met either the SCA or TRA Exemption prior to submitting their 3DS Message (AReq)
• A new Transaction Status indicator (I) to indicate the ACS has received the data but authentication was not performed (Ares)
Copyright ©2017 EMVCo 17Copyright ©2018 EMVCo – Confidential 17
EMV® Secure Remote Commerce - Initiative Overview
• EMV Secure Remote Commerce (EMV SRC) is an evolution of remote commerce
• EMV SRC enables secure and interoperable payment acceptance from browsers or applications
• EMV SRC enables a merchant (or their agent) to receive a common payload based on dynamic data to process an e-commerce transaction
• Scope: Scenarios in which there is no face to face transaction
Definition
• Introduce dynamic data to e-commerce
• Introduce common and interoperable card payment specification for web based payments
• Simplify integration for merchants and commerce platforms
Opportunity
• Engage with industry stakeholders to create specifications that provide interoperable interfaces for the ecosystem
• Provide a common data definition and methodology to exchange a payment payload to streamline merchant integration and to support a consistent consumer experience
EMVCo’s Role
Copyright ©2017 EMVCo 18Copyright ©2018 EMVCo – Confidential 18
Physical Payments
The Evolution of Payments
BAU AuthorisationOnline Payments
Secure Remote Commerce
Issuing Bank
Merchant andIntermediaries
Acquiring Bank
SRC System
Payment Network
Payment Card
Payment Information
10100
Physical Terminal
Consumer Interaction
Payment Information
Digital Card Selection
Merchant Website
Merchant Website
Cardholder
Payment Card
Secure Remote Commerce establishes the framework to deliver a common Consumer Checkout while increasing Simplicity and Security
Copyright ©2017 EMVCo 19Copyright ©2018 EMVCo – Confidential 19
EMV® Secure Remote Commerce Roles
EMV SRC Role Description
SRC System• Orchestration of all technical and business relationships
between participants of an individual SRC System
Digital Shopping Application (DSA)
• Integrate SRC Common Software into their consumer checkout experience
Digital Card Facilitator
(DCF)
• Facilitate the storage and display of Digital Card data for selection (card art, descriptor and others)
SRC Initiator
• Distributes code to DSA and manages the API integration with the SRC System
• Provide checkout data to the SRC System at the time of a transaction
SRC ParticipatingIssuer (SRC PI)
• Enrolment of cardholder and source of Digital Card data including card art and cardholder assurance
• Optionally create and validate dynamic data
Copyright ©2017 EMVCo 20Copyright ©2018 EMVCo – Confidential 20
Fragmented Potential-Risk Lack of ScaleOne-off
Solutions
Common Secure Scalable 360o Solution
Varied Experiences PAN Exposure Single Provider Merchant by Merchant
Common ExperienceDynamic Data;
AssuranceUbiquitous Consistent
Implementation
Current Gaps
EMV SRC Achieves
---
+ + +
Higher Cart Conversion &
More Engagement
Higher Authorisation Rates &
Low Fraud Losses
Lower Cost of Integration & Higher
Acceptance Rates Higher Adoption
• Scale is fundamental to the effectiveness of solutions• Innovation in payment technologies mostly affects merchant-facing functions in the value chain• Integration of each new data source is resource and time consuming• Convenience over security is not an acceptable tradeoff for consumers and all want access to all their existing cards
EMV® SRC Addresses Gaps of Many Single Provider Solutions
Copyright ©2017 EMVCo 21Copyright ©2018 EMVCo – Confidential 21
SRC in Context of Merchant Environment version 1.0
Merchant experience varies by channel (web, mobile application, other technology)
SRC experience facilitated by SRC system
IdentityCard
SelectionAssurance & Verification
Payment Tokenisation
3-D SecureRequired
Optional
Shipping Payment & Billing
Order & Review
ConfirmationCheckout PageProduct Page
3DS Authorisation
FOR ILLUSTRATIVE PURPOSES ONLY
NOTE: The SRC Specification does not mandate use or limit implementations to a “Single Button”.
Copyright ©2017 EMVCo 22Copyright ©2018 EMVCo – Unauthorised reproduction is prohibited 22
Thank you!For more information www.emvco.com
Official specification & supporting material portal
FAQs general & technical
Seminar & meetings details
EMVCo approved products & accredited labs
White papers & best practice guides
or join us on LinkedIn.