Smart Authentication

One of the key feature of 3DSecure 2.0 is Smart Authentication.

With version 1, the schemes introduced the Attempts Server to ensure reliability by having the Attempts Server Stand-In when the ACS cannot be reached and also to create a positive proof that 3DS Secure Authentication was truly attempted.

The Attempts Server creates a liability shift and while Issuers are required to treat an Attempts Transaction equally, clearly this represents a problem for the Issuer in that it now is required to authorize and assuming the chargeback responsibility for transaction on the sole premise that the cardholder had wanted to authenticate but could not.

Smart Authentication is a major step forward and is part of the Authentication Value-Added Services which schemes such as MasterCard have been championing. At its most basic Smart Authentication replaces the Attempts Server and even returns an Attempted reply, but the decision to give a positive authentication is based on Transaction Risk Analysis computed on all the privileged information which card scheme have access to.

The schemes have pulled all the stops in creating a truly smart, ML/AI driven risk analysis system which accurately provides convenience where required and firmness when called for.

Smart Authentication is more than just a very smart Attempts server, however. The key feature of version 2 is frictionless authentication and this puts a huge onus on the ACS system which has to provide Risk Based Authentication.  This is clearly a problem for many Issuers as the effort and technologies involved are an order of magnitude more complex than previously employed. The Card schemes are therefore offering Smart Authentication as a value added service for ACS systems; this way Issuers can easily and conveniently enhanced the capabilities of their existing ACS system by allowing the DS server to play a more direct role in the Authentication process.

This is a efficient way to approach the problem; schemes like MasterCard, Visa and Amex can rolled out a change with an immediate global impact, while updating the multitude of ACS systems around the world is prohibitively expenses and time consuming and for some functionality, will probably never happen; a case in point being Acquirer Exemptions which the Directory Server is best position to evaluate and the Issuer least likely to implement.

MasterCard in particular is offering 4 types of Smart Authentication:

• Smart Authentication Stand-in: Makes authentication decision when ACS is not available
• Smart Authentication Direct: Makes authentication decision for low risk transactions
• Smart Authentication for Issuers: ACS takes authentication decision based on Smart Authentication Assessment
• Smart Authentication Direct for Acquirer Exemptions

A few finer point are worth keeping in mind:

• The Stand-in will not be invoke when a transaction is an NPA or when the authentication is flagged as Authentication mandated.
• Stand-in Authentication will reply as Fully Authenticated for low risk transactions and return an Attempts reply for Non low Risk.

Stand-in Authentication

Changes are coming to Stand-in Authentication:

Smart Authentication Stand-In RBA upper limit will be lowered to 30€ (on 7 Dec 2020 / 14 Sept 2021) . This value is the default; Issuers can change this upper limit according to PSD2 RTS thresholds (100/250/50) or set values for EEA and non EEA. Issuer will also control the risk score threshold

Effective 5 April 2021, Smart Authentication Stand-In will be required without the ability to opt-out for all Europe region issuers. (Issuers are free to adopt alternative technical solutions.)

More Control for Issuers

Mastercard will be introducing even more control for Merchants from 2021

• Extended Purchase Amount Thresholds: Upper Limits can be varied by MCC/Merchant
• Risk Score Thresholds: Issuers can set a threshold to delimit low from non low risk scoring varied by MCC/Merchant
  Reason Code Listing: Issuers can select reason codes to be forced to low or non low risk assessment varied by MCC/Merchant
• White/Blacklist Merchants: Issuers can force low/non low risk assessment for specific merchants
• Velocity Based Decisioning: Issuers can force low/non low risk assessment based on specific velocity based fraud vectors

Smart Authentication Direct

Smart Authentication Direct provides a reply on behalf of Issuer directly to the 3DServer/Merchant.

Process:

• Low Risk authentication requests are responded on behalf as “fully authenticated”
• Non Low Risk authentication requests are forwarded for response to ACS

Use cases:

• Alternative to ACS Provider services for low risk transactions
• ACS Provider with limited capacity to provide Risk Based Authentication decisions

Benefit:

• Reducing latency and transaction volume for low risk transactions since they don’t need to go out to the ACS for authentication
• Reducing overall authentication friction through risk based decisioning while avoiding unnecessary challenges
• Reducing ACS expenses

Issuer Controls and PSD2 Compliance

Smart Authentication Direct is introduced with an upper purchase amount limit at 30€, Transactions above 30€ or non-low risk will be assessed “non-low risk” and forwarded to ACS.

Clearly differentiates Low Value Payments from other transactions; Issuer Low Value Payment counting or accumulation is applied during authorization processing

Issuers will get control over the upper purchase amount limit

• Can be raised according the PSD2 RTS threshold amounts
• Different controls EEA vs. non-EEA
• Lower limit remains at 30€

Issuers will get control over the risk score threshold; can be raised according to issuer risk tolerance

Smart Authentication Direct Acquirer Exemptions

The benefits are the same as for Smart Authentication Direct with the addition that this service provides Authentication decisions to process an Acquirer Exemption request.

Merchants are strongly recommended to request Acquirer Exemptions during 3DS Authentication instead of through to authorization only.

• Merchants requesting TRA Acquirer Exemptions straight through authorization may get confronted with
  a soft decline from issuer when issuer perceives too high risk
• Soft declines lead to inferior consumer and merchant experience adding latency to the purchase and potentially increasing abandonment rate
• Offering issuers the option to challenge when issuer perceives too high risk during authentication increases issuer confidence and may result in better approval rates

In addition

• Merchants requesting TRA Acquirer Exemptions through authentication are offering issuers the option to apply a risk assessment based on full EMV 3DS data
• Issuers can challenge transactions that are perceived as risky

The Card industry deserves to be applauded for moving the milestone in digital payments, addressing the challenges of today and setting the stage for the transformative technologies of tomorrow.