Internet authentication
Protecting your online business from fraud
- Understand what it is and how to incorporate it into your business
- The authentication process – how it works for you and the cardholder
- Authentication and authorisation – understand the difference and how to combine them in one system
Overview
What is Internet Authentication and how does it work?
Internet Authentication is an industry-wide initiative that allows Visa, MasterCard and Maestro issuers to request that cardholders buying from websites enter a password to verify that they're the genuine cardholder. This automatically verifies their identity and authenticates the card, so you can accept their payment with confidence.
Internet Authentication can help protect you against online fraud and reduce the likelihood of receiving fraud-related chargebacks. It's a service designed to protect your business from fraudulent payments and allow you to trade online more safely.
Such is the strength of the service that once you're registered and operating Internet Authentication, Visa and MasterCard state that you should not suffer losses for fraudulent Visa or MasterCard transactions and chargebacks arising when a cardholder denies authorising a payment.
Save time and money – and be safe online
Internet Authentication could save you a substantial amount of money by reducing chargebacks – as well as time reducing the time it takes to carry out long-winded back office manual checks before accepting Visa, MasterCard or Maestro payments.
The payment, authorisation and settlement process
- A customer browsing on the internet decides to buy from you with a Visa card, MasterCard or Maestro card.
- Your payment pages, e.g. ePDQ CPI, communicate with the Visa/MasterCard Directory which then contacts the card issuer.
- The card issuer confirms whether the cardholder has registered for Internet Authentication.
- If the card issuer supports Internet Authentication, a 'pop-up' or 'in-line' web window appears on the cardholders screen. If not, the transaction proceeds to authorisation at step 7.
- The card issuer asks for the cardholders Internet Authentication password and accepts or rejects it.
- If the password is correct, the payment process continues (if incorrect, the transaction may be stopped).
- Your payment software, e.g. ePDQ authorises the payment details and passes them to the acquirers, e.g. Barclaycard for settlement.
Download more information:
Read Visa merchant best practice guide
View the internet authentication procedure guide
You'll need Adobe Reader to view the PDFs. If it's not installed on your computer, download it here for free.
The authentication process
The Authentication and Authorisation Process
Secure online transaction processing with Internet Authentication combines the benefits of both authentication and authorisation.
- Authentication – is the process of checking that the cardholder is genuine. A card issuer may prove this by requesting that their cardholder types in the password that correctly matches the details registered.
- Authorisation – is the process of making sure the cardholder has the funds to pay for the transaction and their card has not been blocked for any reason. Once the card issuer has authenticated the customer, the payment processor (e.g. ePDQ) then authorises the transaction in the normal way.
The authentication process
Authentication takes place during the card payment process, after the cardholder has provided their card details, billing and delivery address. It happens before the transaction is sent to the card issuing bank, for authorisation.
From a cardholder perspective, shopping is conducted as usual. When the final [BUY] button is clicked, a page from the card issuing bank is presented that asks the cardholder for a password. The password supplied must match the password provided by the cardholder during the Enrolment process. Once the correct password is entered, the transaction continues on as before and the cardholder is presented with a "transaction completed page." (Typically, this will be a page that confirms that the purchase has been made and provides the cardholder with an order/tracking number from your website).
Authentication process components
Authentication uses the 3D-Secure Protocol to process authentication requests between cardholder, card issuer, your website and our hosted service. It is useful to understand how the components communicate, the diagram below shows the process:-
The Hosted Authentication Service will perform the following:
- Interface with the Card Schemes Directory Servers on your behalf for verifying card enrolment
- Verify signature of the PARes (Payer Authentication RESponse) you receive from the issuer
You will be using the SDK to integrate with your application. The SDK enables your application to be authentication aware. The SDK communicates with the BMS Hosted Authentication Service for all the functions such as verifying card enrolment, creating PAReq (Payer Authentication REQuest) message and verifying PARes signature.
| Component | Description |
|---|---|
| Software Developer's Kit (SDK) | The SDK is hosted on your web servers and communicates directly with our hosted Merchant Service. |
| Hosted Merchant Service | This receives authentication requests from your SDK and communicates with the relevant scheme directory to perform authentication. We will maintain audit records on this service and will ensure compliance with scheme rules. |
| Directory Server (DS) | This is maintained by the card schemes (Visa and MasterCard) and provides details of the relevant issuer Access Control Server (ACS) for a given card number. The Directory Server can also determine if an issuer is participating in authentication and it may also determine whether an "attempts" response can be returned. |
| Access Control Server (ACS) | The Access Control Server is run by (or on behalf of) the card issuer. It performs two basic functions. It communicates to your SDK to confirm whether a card number can be authenticated, and then controls the authentication process with the cardholder. When a cardholder is authenticated, the ACS sends a digitally signed message to your SDK and will return an Issuer Authentication Value (IAV). |
| Account Holder File (AHF) | This is the database of all enrolled cardholders maintained by the card issuer. It contains all the details used to authenticate a cardholder. |
| Enrolment Server (ES) | This is the server that runs the cardholder enrolment service. It is outside of the actual payment process and can be used to enrol cardholders at any time. |
| Authentication History Server (AHS) | The Authentication History Server (AHS) provides a transaction audit of all authentication request and subsequent results. Receipts of authentication requests are maintained which record details of the card, purchase amount, merchant and timestamp of authentication. AHS data is not made widely available and is only used by the card schemes in the event of arbitration. |
Our authentication process
Authentication services to suit you
We offer authentication services that can be easily integrated into our online payment system. These are:
- ePDQ CPI – it comes ready with built-in Internet Authentication and requires minimal configuration.
- ePDQ MPI – you can use our hosted internet authentication solution. However, it requires some technical expertise to integrate this service and it may be worth considering switching to the ePDQ CPI instead for authorisation as well as Internet Authentication instead.
Our ePDQ CPI is configured to flag Visa, MasterCard and Maestro transactions clearly to show if Internet Authentication has been used, and whether the transaction will qualify for liability shift if it turns out to be fraudulent. However, if you use ePDQ MPI then you're responsible for the configuration.
