Access Control Server

The issuer domain (banks) of 3-D Secure protocols includes the Access Control Server (ACS). Each card issuer is required to maintain an ACS utilised for supporting cardholder authentication. A customer can authenticate to the ACS by providing their username and password; the ACS then signs the result as either valid or invalid. This signature is transmitted to the Merchant Plug-in via the customer's browser (MPI). The MPI verifies the ACS signature and decides whether the transaction should proceed.

Due to the need to maintain the confidentiality of the transaction, the cardholder is diverted to the website of the issuing bank during the 3-D Secure process. When the information is given to the bank, the MPI returns the verification to continue rejecting or accepting the user's authenticity. The MPI connects card servers and merchant servers for verification purposes.

Learn more about ACS through 3DS1 and 3DS2.

Biometric Authentication

Verification of an individual's identity based on their unique biological characteristics, including facial recognition or voice identification. Biometric authentication systems compare captured biometric data with confirmed authentic database data. For authentication to be validated, both biometric data samples must match.

Card-Not-Present Fraud

When a customer manually enters credit card information during a transaction without physically presenting the card to the merchant, it is considered card-not-present (CNP) fraud. This type of fraud typically occurs online when the fraudulent party obtains the cardholder's information without their consent, such as their three-digit security code. Commonly, CNP fraud is committed via phishing.

Card Scheme

Card schemes are payment networks that establish regulations and provide infrastructure to issue cards and process card-based transactions, such as debit and credit card transactions. Issuers (bank or financial institution) and acquirers (merchant or customer) must be part of the same network as the card in order for a payment to be processed.

Chargeback

Chargeback refers to the return of funds used to make a purchase, initiated by the bank or financial institution that issued the funds. It was one of the advantages of 3-D Secure 1.0 in regards to the fact that it reduced the likelihood of chargebacks. If a chargeback occurs, the cardholder's bank will be held responsible.

Directory Server

A central repository for storing and operating data, including identity profiles. Directory Server can be used to authenticate and authorise users to ensure safe access to an organisation, internet services, and applications. Directory Server is expandable as it can be integrated within existing systems, and permits the integration of employee, customer, supplier, and associates data.

EMVCo

Originally known as EMV, this international standard for credit and debit card payments is based on chip card technology. It was named after the card schemes that founded it, namely Europay, MasterCard, and Visa. EMVCo, a collaboration of financial institutions including Visa, Mastercard, American Express, China Union Pay, JCB, Discover/Diners Club International, and Rupay, now regulates the standard. Additionally, they are the creators of EMV Three-Domain Secure (3DS). The mission of EMVCo is to promote global interoperability and ensure the safety of all online payment transactions.

Frictionless Flow

Instated through risk-based authentication performed in the ACS, this feature enables issuers to approve a payment without interacting with the cardholder. As the customer confirms an online purchase, all of their shopping details, including device data, item purchased, and value, are sent to the ACS in order to verify the cardholder's identity using risk-based elements. Since this procedure occurs invisibly, it is considered frictionless.  Customers are guided to the order confirmation page without being informed that their transaction has been screened.

Liability Shift

When the liability for chargeback loss is transferred back to the bank from the merchant. This typically occurs during eCommerce transactions in which the cardholder denies making a purchase, as well as fraudulent transactions.

Non-Payment User authentication

A category of 3DS messages that can be used to verify identity outside of the payment ecosystem, allowing wallet providers and issuers to streamline the provisioning and activation of cardholders in a secure manner. Discover more about 3DS2 non-payment authentication.

One Time Passwords

One-time passwords is a system that provides a mechanism for logging on to a network or service with a password that is unique and valid for only one login session or transaction. This protects online bank accounts, enterprise networks, and other systems that contain sensitive information, from certain types of identity fraud by making sure that a stored username and password cannot be used more than once.

Out Of Band Authentication

Out of band (OOB) authentication is the protection authentication mechanism that requires two distinct signals from two distinct separate channels or networks. In a business environment, an OOB satisfies security requirements by generating a request for secondary verification.

Payment Gateway

An online service that authorises the transfer of funds between sellers and buyers in an online marketplace. It encourages transactions by transferring data between payment portals, such as a website and a bank.

Payment Service Directive 2 (PSD2)

A type of payment service directive. Since banks are no longer the only entity with access to their customers' data. PSD2 permits bank customers to grant third parties access to their account information and the authority to manage their finances. For instance, Facebook could be used to make payments directly from customers' bank accounts.

Risk-Based Authentication

An authentication and authorisation technology that uses a variety of user-provided factors. This includes evaluating the user's behaviour, devices, and other variables to determine if they pose a threat. If the user fails to meet a set standard, they will be urged to provide additional verification information. This could be the answer to a security question or a biometric element. Explore the topic of risk-based authentication.

Strong Customer Authentication (SCA)

Using biometrics to validate card-not-present digital transactions is a new European legal mandate designed to make online payments more secure. With the PSD2 (Revised Payment Service Directive) regulations, the user will be required to provide more information than just the card number and CVC verification code at the time of payment. SCA uses three distinct types of information to confirm user identities:

   1. Information the user knows, such as a password or PIN
   2. Something the user owns, such as a card or mobile phone
   3. Something the user is, such as fingerprints or facial recognition

Transaction/Cart Abandonment

The act of a potential eCommerce customer abandoning their purchases/shopping cart during the payment phase of the checkout process. This typically occurs when a customer forgets the additional 3-D Secure verification requirement or when the page does not display correctly on a mobile device.

Two Factor Authentication (2FA)

A type of multi-factor authentication that verifies the claimed identities of users. The method authenticates the transaction using two of the three factors:

   1. Information the user knows, such as a password or PIN
   2. Something the user owns, such as a card or mobile phone
   3. Something the user is, such as fingerprints or facial recognition