EMV® 3-D Secure

21 October 2019 – Confidential EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo.

Copyright ©2017 EMVCo 2Copyright ©2019 EMVCo – Confidential 2

Agenda

EMV® 3DS Flows and Data

EMV® 3DS v2.3 Scope

Copyright ©2017 EMVCo 3Copyright ©2019 EMVCo – Confidential 3

EMV® 3DS BROWSER-BASED FLOWS AND DATA

Copyright ©2017 EMVCo 4Copyright ©2019 EMVCo – Confidential 4

ACSThe Access Control Server (ACS) – responsible for authentication of the cardholder

DSDirectory Server (DS) – operated by each participating Payment System

3DS Server

3DS server – communicates with the merchant environment and the Directory Server (DS) to send and receive authentication messages

SDK

3DS SDK running on the consumer device communicates with the 3DS Requestor Environment and the Access Control Server (ACS)

EMV® 3-D Secure Components

Copyright ©2017 EMVCo 5Copyright ©2019 EMVCo – Confidential 5

3-D Secure – Browser-based Processing Flow

Copyright ©2017 EMVCo 6Copyright ©2019 EMVCo – Confidential 6

+Destination Airport

Known Traveler Indicator

Origin Airport

Loyalty Program Level

Departure Date

Frequent Flyer Indicator

Service Class

Return Date

Airline Carriers

Airline Ticket Type

Airline Ticket Amount

Routing Codes

Primary Passenger

Other Passengers

Airline Ticket Currency

Airline Ticket Count

Travel Industry Data (Message Extension)

Acquirer BIN

Acquirer Merchant ID

Card Expiry Date

Cardholder Account Number

DS URL

Merchant Country Code

Message Category, Extension, Type, Version

Purchase Amount, Currency, Date & Time

Recurring Expiry, Frequency

Browser User-Agent

IP address

Browser Time ZoneJavaScript Enabled

Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number

Cardholder Name

SDK App ID, SDK Encrypted Data, Ephemeral Public Key

SDK Reference Number, SDK Transaction ID

3DS Requestor URL, App URL

Browser Accept Headers

Cardholder Account Information (Account Age,

Change, Password Change, Number of Transactions per Day / Year,

Shipping Name Indicator, Suspicious Activity, Payment Account Age etc.)

Cardholder Account Identifier, Billing Address

Cardholder Shipping Address

Transaction Type

Account Type

Browser Time Zone

DS Reference Number, Transaction ID

EMV Payment Token Indicator, Payment Token Source

Purchase Date & Time

Recurring Expiry, Frequency

3DS Server Reference Number, Operator ID, Transaction ID, URL

Address Match Indicator

Device Channel, Device Information, Rendering Options

Supported

Message Category, Type

Merchant Name

Merchant Country Code

Merchant Category Code

Merchant Risk Indicator (Delivery Timeframe, Re-order, Pre-order, Gift Card)

3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated

Indicator

3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information

Instalment Payment Data

Browser Java Enabled, Language, Screen Color Depth, Height, Width

EMV® 3-D Secure Data (Initial Message – AReq)

Whitelisting Status, Status Source

ACS Decoupled Confirmation Indicator

3DS Requestor Decoupled Max Time, Decoupled Request Indicator

3DS Requestor Authentication Method Verification Indicator

EMV® 3DS Data Elements

Copyright ©2017 EMVCo 7Copyright ©2019 EMVCo – Confidential 7

EMV® 3DS V2.3 SCOPE

Copyright ©2017 EMVCo 8Copyright ©2019 EMVCo – Confidential 8

Core Principles for EMV® 3DS v2.3

New Authentication ChannelsEnhance the user experience on gaming consoles and other smart devices• Add additional support for OS/Platform Providers• Introduce new SDK models

Improve User ExperienceFurther enhance existing authentication flows and templates• Usability study to determine and validate

flows and templates• Include updates to help the cardholder

transition seamlessly from their Merchant App to the Issuer Authentication App by eliminating the need of a push notification

Promotion of Frictionless Authentication• Working with FIDO Alliance to establish FIDO

authentication data for use in EMV 3DS messages and defining additional use cases

• Working with Secure Remote Commerce (SRC) Working Group to determine further SRC requirements for EMV 3DS

Copyright ©2017 EMVCo 9Copyright ©2019 EMVCo – Confidential 9

EMV® 3DS and FIDO Alliance

FIDO use case: Promotion of a frictionless authentication experience

• 3DSWG and FIDO Alliance to define the FIDO Assertion data that can be used in EMV 3DS messages. Issuers may use FIDO Assertion data to evaluate merchant-initiated FIDO Authentication (Assertion) as part of their risk evaluations.

• In July 2019, FIDO Alliance completed definition of the data set to be used for this use case and shared with EMVCo.

• The data set will be documented and communicated to EMVCo Associates and Subscribers.

Copyright ©2017 EMVCo 10Copyright ©2019 EMVCo – Confidential 10

QUESTIONS

Copyright ©2017 EMVCo 11Copyright ©2019 EMVCo – Confidential 11

• What alternatives can be suggested if access to browser information is restricted?

• Need to better understand how these elements work

– Trust tokens

– Token Binding…

Questions - WPSIG

Copyright ©2017 EMVCo 12Copyright ©2019 EMVCo – Confidential 12

Thank you!For more information www.emvco.com

Official specification & supporting material portal

FAQs general & technical

Seminar & meetings details

EMVCo approved products & accredited labs

White papers & best practice guides

or join us on LinkedIn.