1

Authentication Flows

| 3-D Secure 2.0 Workshop 2

3-D Secure 2.0 Naming Changes With the support of non-payment authentication in 3DS 2.0, authentication requests are no longer necessarily initiated by a merchant

Previous 3DS 1.0 Term 3DS 2.0 Term

Merchant Used as example for 3DS Requestor

Merchant Plug-in (MPI) 3DS Server

n/a 3DS Requestor Environment

Merchant Integrator 3DS Integrator

n/a 3DS Requestor App

| 3-D Secure 2.0 Workshop 3

3-D Secure Environment

Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016

| 3-D Secure 2.0 Workshop 4

3DS 2.0 Base Use Cases Support for application & browser-based use cases across payment and non-payment authentication

Payment Authentication

Non-Payment Authentication

Application & Browser-based Support

• Example: Issuer challenges cardholder for initial provisioning of payment credentials to a mobile digital wallet or merchant card-on-file system

• Cardholder makes purchase via browser or mobile in-app

• May be authenticated without additional cardholder input (“frictionless”) or may require additional action (“challenge”)

| 3-D Secure 2.0 Workshop 5

3DS 2.0 Base Use Cases

Application-based

(A) Frictionless (B) Challenge

1 Payment

2 Non-payment

1A

2A

1B

2B

Browser-based (A) Frictionless (B) Challenge

3 Payment

4 Non-payment

3A

4A

3B

4B

| 3-D Secure 2.0 Workshop 6

3DS 2.0 Base Use Cases

Application-based

(A) Frictionless (B) Challenge

1 Payment

2 Non-payment

1A

2A

1B

2B

Browser-based (A) Frictionless (B) Challenge

3 Payment

4 Non-payment

3A

4A

3B

4B

| 3-D Secure 2.0 Workshop 7

Application-based Payment Example Frictionless Flow

1A

The consumer adds the item to

their shopping cart, completes the

standard purchase information

and confirms the purchase

The purchase information along with

device data and other details are

submitted to the ACS to determine

cardholder authentication

The ACS was able to authenticate the

cardholder via ‘risk based

authentication’ and the cardholder is

authenticated invisibly

1 2 3

| 3-D Secure 2.0 Workshop 8

Application-based Payment Example Frictionless Flow

In the Application-based flow, the 3DS

Client is the 3DS SDK

1A

Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016

| 3-D Secure 2.0 Workshop 9

Application-based Payment Example Challenge Flow – One Time Passcode (OTP)

1B

The consumer adds the item to

their shopping cart, completes the

standard purchase information

and confirms the purchase

The purchase information along with

device data and other details are

submitted to the ACS to determine

cardholder authentication

The ACS was not able to authenticate

the cardholder invisibly via ‘risk

based authentication’. The

cardholder is requested to enter an

OTP (challenge) to authenticate

themselves

1 2 3

| 3-D Secure 2.0 Workshop 10

Application-based Payment Example Challenge Flow – One Time Passcode (OTP)

1B

The OTP information is sent to the

ACS for verification

The ACS was able to verify the

cardholder via the OTP and the

cardholder is authenticated

4 5

| 3-D Secure 2.0 Workshop 11

Application-based Payment Example Challenge Flow

Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016

In the Application-based flow, the 3DS

Client is the 3DS SDK

1B

12

UI / UX

| 3-D Secure 2.0 Workshop 13

Developing Consumer Experience Approach

Map Research &

Iterate Validate

• Gather market &

consumer data, analyze

• Map existing 3DS 1.0

journey to identify pain

points

• Create set of UI principles

from insight gained

• Internal rapid design

testing to enhance and fix

what doesn’t work

• Test final designs amongst

larger market sample with

quantitative study

1 2 3

| 3-D Secure 2.0 Workshop 14

Challenge with One-time Passcode(OTP) Success

Source: EMVCo – 3DS 2.0 Demo & Webinar

| 3-D Secure 2.0 Workshop 15

Native UI Benefits

• Integrates seamlessly into the Merchant App UI with a user friendly way to enter challenge data

• Merchant look and feel

HTML Benefits

• Allows for use of Issuer branding, Issuer design, and Payment System branding familiar to Cardholder

• Provides flexibility to the Issuer to leverage an established authentication experience for the cardholder

• Can be used for cardholder entry of static data (e.g. answering knowledge based questions)

• Content from ACS (HTML, CSS) is delivered in-band with the protocol

UI Type Global EMVCo study showed that the presence of network and bank logos conveys more clearly to cardholder the trusted party performing authentication

| 3-D Secure 2.0 Workshop 16

Native UI Example

Heading managed by 3DS Requestor

ACS UI Type

Text = 1

Challenge Information Text

Challenge Information Label

“Why” Information Label

Expandable Information Label 1

Expandable Information Text 1

Label and Action Managed by 3DS Requestor

Source: EMVCo – 3DS 2.0 Demo & Webinar

| 3-D Secure 2.0 Workshop 17

HTML Knowledge Based Example

Provided by Merchant App, displayed by SDK

HTML provided by ACS, displayed by SDK

Provided by Merchant App, displayed by SDK

When the cardholder selects “Cancel & Continue Shopping” they are redirected back to the shopping cart.

Source: EMVCo – 3DS 2.0 Demo & Webinar

| 3-D Secure 2.0 Workshop 18

HTML Knowledge Based Alternative Example

Source: EMVCo – 3DS 2.0 Demo & Webinar

| 3-D Secure 2.0 Workshop 19

3DS 2.0 Payment security, evolved.

London Workshop – March 9th 2017

20

3-D Secure SDK Specification

| 3-D Secure 2.0 Workshop 21

3-D Secure 2.0 SDK Overview The SDK specifications were published by EMVCo in January 2017 to enable 3DS authentication in mobile-based apps

SDK Specification – Jan 2017

SDK Device Information – Jan 2017

Describes the device identification parameters

collected by the SDK

Provides framework for creation of testable SDK the handles all of

the functionality of 3DS within apps

Provides insight on the implementation of the SDK

SDK Technical Guide – March 2017

A B C

| 3-D Secure 2.0 Workshop 22

What is the 3DS SDK Design Specification? An SDK, or Software Development Kit, is a programming package that allows a developer to provide specific functionality within an app

Security requirements &

guidelines

Definition of consistent &

testable interfaces

UI mapping framework &

best practices

Data & error handling

requirements & guidelines

The 3DS SDK specification provides the framework for creation of a testable

SDK that handles all of the functionality of 3DS within apps

P

P

P

P

3DS SDK Spec is not:

• Distributable software

package

• Detail of how to develop 3-D

Secure SDK interfaces

• Detail on how to implement

/ develop requirements

• Detail on how to code UI

X

A

| 3-D Secure 2.0 Workshop 23

SDK Component Architecture

Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017

| 3-D Secure 2.0 Workshop 24

What is 3-D Secure SDK Device Information? Device Information shall be used to identify mobile devices in the 3-D Secure ecosystem

Example Common Parameters

The 3-D Secure SDK Device Information document describes the device identification parameters

that shall be collected by the 3-D Secure SDK

Example Device-specific Parameters

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

| 3-D Secure 2.0 Workshop 25

What is 3-D Secure SDK Device Information? Device Information also includes environmental information

Security Warnings

The 3DS SDK shall check the condition of the device during initialization. The SDK shall make the

result of the checks available as a list of warnings to the Merchant App and include them in the

Device Information JSON data

Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017

B

Security

Warning ID

Description Severity Level

SW01 The device is jailbroken. HIGH

SW02 The integrity of the SDK has been tampered. HIGH

SW03 An emulator is being used to run the App. HIGH

SW04 A debugger is attached to the App. MEDIUM

SW05 The OS or the OS version is not supported. HIGH

| 3-D Secure 2.0 Workshop 26

What is the 3-D Secure SDK Technical Guide? Provides insight on the implementation of the SDK. Examples and code samples are contained in the technical guide to give guidance on how a certain functionality can be implemented

Content Description

Overview and Scope

• Covers the iOS, Android and Windows Phone platforms

• EMVCo does not intend to maintain the SDK Technical

Guide

Implementation of Transaction Flows • SDK initiation

• Frictionless flow, challenge flow

Security & Cryptography

• Device data encryption

• Diffie-Hellman process, JWS signature checking

• Encryption of CReq / decryption of CRes

• Implementation of security requirements

User Interface Implementation • Navigation, examples, UI Customization, accessibility

Merchant Implementation Considerations

• Including 3DS 2.0 SDK in 3DS Requestor App

implementation

• SDK initiation, transaction initiation

• Implementing the AReq / ARes-phase

• Deciding to proceed to challenge flow

• Returning to 3DS Requestor App from SDK

Source: EMVCo - EMV® 3-D Secure – SDK Technical Guide – DRAFT – Dec 2016

C