emv® 3-d secure 21 october 2019 confidential
TRANSCRIPT
EMV® 3-D Secure
21 October 2019 – Confidential EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo.
Copyright ©2017 EMVCo 2Copyright ©2019 EMVCo – Confidential 2
Agenda
EMV® 3DS Flows and Data
EMV® 3DS v2.3 Scope
Copyright ©2017 EMVCo 3Copyright ©2019 EMVCo – Confidential 3
EMV® 3DS BROWSER-BASED FLOWS AND DATA
Copyright ©2017 EMVCo 4Copyright ©2019 EMVCo – Confidential 4
ACSThe Access Control Server (ACS) – responsible for authentication of the cardholder
DSDirectory Server (DS) – operated by each participating Payment System
3DS Server
3DS server – communicates with the merchant environment and the Directory Server (DS) to send and receive authentication messages
SDK
3DS SDK running on the consumer device communicates with the 3DS Requestor Environment and the Access Control Server (ACS)
EMV® 3-D Secure Components
Copyright ©2017 EMVCo 5Copyright ©2019 EMVCo – Confidential 5
3-D Secure – Browser-based Processing Flow
Copyright ©2017 EMVCo 6Copyright ©2019 EMVCo – Confidential 6
+Destination Airport
Known Traveler Indicator
Origin Airport
Loyalty Program Level
Departure Date
Frequent Flyer Indicator
Service Class
Return Date
Airline Carriers
Airline Ticket Type
Airline Ticket Amount
Routing Codes
Primary Passenger
Other Passengers
Airline Ticket Currency
Airline Ticket Count
Travel Industry Data (Message Extension)
Acquirer BIN
Acquirer Merchant ID
Card Expiry Date
Cardholder Account Number
DS URL
Merchant Country Code
Message Category, Extension, Type, Version
Purchase Amount, Currency, Date & Time
Recurring Expiry, Frequency
Browser User-Agent
IP address
Browser Time ZoneJavaScript Enabled
Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number
Cardholder Name
SDK App ID, SDK Encrypted Data, Ephemeral Public Key
SDK Reference Number, SDK Transaction ID
3DS Requestor URL, App URL
Browser Accept Headers
Cardholder Account Information (Account Age,
Change, Password Change, Number of Transactions per Day / Year,
Shipping Name Indicator, Suspicious Activity, Payment Account Age etc.)
Cardholder Account Identifier, Billing Address
Cardholder Shipping Address
Transaction Type
Account Type
Browser Time Zone
DS Reference Number, Transaction ID
EMV Payment Token Indicator, Payment Token Source
Purchase Date & Time
Recurring Expiry, Frequency
3DS Server Reference Number, Operator ID, Transaction ID, URL
Address Match Indicator
Device Channel, Device Information, Rendering Options
Supported
Message Category, Type
Merchant Name
Merchant Country Code
Merchant Category Code
Merchant Risk Indicator (Delivery Timeframe, Re-order, Pre-order, Gift Card)
3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated
Indicator
3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information
Instalment Payment Data
Browser Java Enabled, Language, Screen Color Depth, Height, Width
EMV® 3-D Secure Data (Initial Message – AReq)
Whitelisting Status, Status Source
ACS Decoupled Confirmation Indicator
3DS Requestor Decoupled Max Time, Decoupled Request Indicator
3DS Requestor Authentication Method Verification Indicator
EMV® 3DS Data Elements
Copyright ©2017 EMVCo 7Copyright ©2019 EMVCo – Confidential 7
EMV® 3DS V2.3 SCOPE
Copyright ©2017 EMVCo 8Copyright ©2019 EMVCo – Confidential 8
Core Principles for EMV® 3DS v2.3
New Authentication ChannelsEnhance the user experience on gaming consoles and other smart devices• Add additional support for OS/Platform Providers• Introduce new SDK models
Improve User ExperienceFurther enhance existing authentication flows and templates• Usability study to determine and validate
flows and templates• Include updates to help the cardholder
transition seamlessly from their Merchant App to the Issuer Authentication App by eliminating the need of a push notification
Promotion of Frictionless Authentication• Working with FIDO Alliance to establish FIDO
authentication data for use in EMV 3DS messages and defining additional use cases
• Working with Secure Remote Commerce (SRC) Working Group to determine further SRC requirements for EMV 3DS
Copyright ©2017 EMVCo 9Copyright ©2019 EMVCo – Confidential 9
EMV® 3DS and FIDO Alliance
FIDO use case: Promotion of a frictionless authentication experience
• 3DSWG and FIDO Alliance to define the FIDO Assertion data that can be used in EMV 3DS messages. Issuers may use FIDO Assertion data to evaluate merchant-initiated FIDO Authentication (Assertion) as part of their risk evaluations.
• In July 2019, FIDO Alliance completed definition of the data set to be used for this use case and shared with EMVCo.
• The data set will be documented and communicated to EMVCo Associates and Subscribers.
Copyright ©2017 EMVCo 10Copyright ©2019 EMVCo – Confidential 10
QUESTIONS
Copyright ©2017 EMVCo 11Copyright ©2019 EMVCo – Confidential 11
• What alternatives can be suggested if access to browser information is restricted?
• Need to better understand how these elements work
– Trust tokens
– Token Binding…
Questions - WPSIG
Copyright ©2017 EMVCo 12Copyright ©2019 EMVCo – Confidential 12
Thank you!For more information www.emvco.com
Official specification & supporting material portal
FAQs general & technical
Seminar & meetings details
EMVCo approved products & accredited labs
White papers & best practice guides
or join us on LinkedIn.