Dynamic linking and the impact on online payments

Financial transactions are increasingly conducted online using computers, tablets, mobile phones and other internet-enabled devices. While this has improved speed and convenience, helping to create a better customer experience, the growth of online and mobile payments has also led to a dramatic rise in card-not-present fraud.

Figures from a recent Barclaycard survey highlighted this growth^[1]. Of those businesses accepting online payment, only 7.5% had seen a decrease in online payment fraud during the past five years, compared to 31.5% which had seen an increase in fraudulent activity. Meanwhile, 33% said levels remained roughly the same, while 27% did not know.

PSD2, and specifically SCA, is the response to payment fraud. While the legal activation date for SCA is 14 September 2019, the European Banking Authority (EBA) has extended the deadline to 31 December 2020 for adherence. The Financial Conduct Authority (FCA) previously agreed to a phased roll-out approach to March 2022 in the UK. At the time of publishing, the FCA has not formally announced its position regarding the EBA extension following the announcement. We recommend you get ready for December 2020 as best practice to avoid declines.

Strengthening two-factor authentication (2FA)

Dynamic linking forms a key part of the new security framework. It’s the element that enhances two-factor authentication (2FA), which requires at least two of the following to be used to authenticate remote payments:

• Something the customer knows, such as a PIN or password
• Something the customer has, such as a mobile phone or payment card
• Something the customer is, such as their fingerprint or voice pattern

The aim of the dynamic element in 2FA requires every transaction to be specifically linked to the transaction amount and the recipient. The aim is to prevent ‘man-in-the-middle’ attacks, where fraudsters can intercept and modify transactions in real time. For example, without dynamic linking, a transaction amount of £100 could be altered to £1,000 and be transferred to someone other than the intended recipient.

The requirements for dynamic linking

Dynamic linking was specified in Article 5 of the Regulatory Technical Standards (RTS), which define the legal requirements for SCA. There are four main requirements for transactions to be dynamically linked:

The payer must be made aware of the amount of the payment transaction and of the payee

The authentication code generated must be specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction

The authentication code accepted by the payment service provider (PSP) must correspond to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer

Any change to the amount or the payee will invalidate the authentication code generated.

A key concept with dynamic linking is ‘what you see is what you sign’ (WYSIWYS). In other words, all transactions should be transparent and tamper-proof, and payers should never be asked to authenticate any data that they don’t understand or can’t identify. The WYSIWYS concept helps prevent social engineering frauds, which is where payers are manoeuvred into authenticating data that they don’t understand.

Dynamic linking in practice

Dynamic linking impacts all major points in the payment chain. Merchants, for example, have to enable payers to be fully aware of the value and the payee’s identity, so this information must be clearly displayed at the time of the transaction. A merchant must therefore evaluate its current mobile applications or web browsers to ensure this is the case.

The requirement for authentication codes is at the heart of dynamic linking. The codes strengthen two-factor authentication, ensuring that SCA generates an auditable trail. The authentication for each transaction must be unique and specific to the transaction amount and the recipient.

The payer must first verify an online transaction by creating an authentication code with relevant transaction data (as a minimum the amount and information identifying the recipient). When the payment is sent, the code dynamically links to the payment details, so the payment can’t be compromised by man-in-the-middle frauds.

There are a number of technologies that could be used to generate these codes, with 3DS, tokenisation, EMV chips, digital signatures and cryptograms all ways of creating a unique reference.

Acceptance of the authentication code is the second part of dynamic linking, and may involve different codes across different channels. Only one code may be used to authenticate the transaction and it depends on which channel is used.

A further defence against fraudulent interceptions is provided by the stipulation that changes will invalidate authentication codes. Any alteration in payment details will require new authentication codes to be generated. It means the payer needs to be presented with the new information, in keeping with the principle that what you see is what you sign.

Dynamic linking also applies to batch transactions or bulk payments. Here, the authentication code must be specific to both the total combined value of transactions and to the different recipients. However, if the number of recipients is very large, it may not be possible to show all of them for validation.

Throughout the SCA transaction process, payment service providers have a duty to use security measures that provide confidentiality, authenticity and integrity – thus facilitating dynamic linking. The technology to achieve dynamic linking is not defined in the Regulatory Technical Standards, but 3D Secure 2 will be the de facto infrastructure for SCA and, therefore, dynamic linking.

The way forward

In June, the European Banking Authority acknowledged the complexities of SCA and dynamic linking, noting “that not all compliant elements may yet enable dynamic linking.” It further called for greater industry cooperation to ensure that “SCA approaches can enable dynamic linking.”

Dynamic linking is necessary to fight fraud and is a key part of SCA. Barclaycard has an important role to play in helping merchants navigate the new regulations and successfully implement all the requirements. That includes optimising transactions through exemptions and transaction risk analysis (TRA), ensuring the right balance between security and frictionless commerce.

• ^[1] Conducted by Barclaycard in association with YouGov, survey of 503 businesses, August 2019