Date post: | 06-May-2018 |
Category: |
Documents |
Upload: | truongkiet |
View: | 220 times |
Download: | 0 times |
| 3-D Secure 2.0 Workshop 2
3-D Secure 2.0 Naming Changes With the support of non-payment authentication in 3DS 2.0, authentication requests are no longer necessarily initiated by a merchant
Previous 3DS 1.0 Term 3DS 2.0 Term
Merchant Used as example for 3DS Requestor
Merchant Plug-in (MPI) 3DS Server
n/a 3DS Requestor Environment
Merchant Integrator 3DS Integrator
n/a 3DS Requestor App
| 3-D Secure 2.0 Workshop 3
3-D Secure Environment
Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016
| 3-D Secure 2.0 Workshop 4
3DS 2.0 Base Use Cases Support for application & browser-based use cases across payment and non-payment authentication
Payment Authentication
Non-Payment Authentication
Application & Browser-based Support
• Example: Issuer challenges cardholder for initial provisioning of payment credentials to a mobile digital wallet or merchant card-on-file system
• Cardholder makes purchase via browser or mobile in-app
• May be authenticated without additional cardholder input (“frictionless”) or may require additional action (“challenge”)
| 3-D Secure 2.0 Workshop 5
3DS 2.0 Base Use Cases
Application-based
(A) Frictionless (B) Challenge
1 Payment
2 Non-payment
1A
2A
1B
2B
Browser-based (A) Frictionless (B) Challenge
3 Payment
4 Non-payment
3A
4A
3B
4B
| 3-D Secure 2.0 Workshop 6
3DS 2.0 Base Use Cases
Application-based
(A) Frictionless (B) Challenge
1 Payment
2 Non-payment
1A
2A
1B
2B
Browser-based (A) Frictionless (B) Challenge
3 Payment
4 Non-payment
3A
4A
3B
4B
| 3-D Secure 2.0 Workshop 7
Application-based Payment Example Frictionless Flow
1A
The consumer adds the item to
their shopping cart, completes the
standard purchase information
and confirms the purchase
The purchase information along with
device data and other details are
submitted to the ACS to determine
cardholder authentication
The ACS was able to authenticate the
cardholder via ‘risk based
authentication’ and the cardholder is
authenticated invisibly
1 2 3
| 3-D Secure 2.0 Workshop 8
Application-based Payment Example Frictionless Flow
In the Application-based flow, the 3DS
Client is the 3DS SDK
1A
Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016
| 3-D Secure 2.0 Workshop 9
Application-based Payment Example Challenge Flow – One Time Passcode (OTP)
1B
The consumer adds the item to
their shopping cart, completes the
standard purchase information
and confirms the purchase
The purchase information along with
device data and other details are
submitted to the ACS to determine
cardholder authentication
The ACS was not able to authenticate
the cardholder invisibly via ‘risk
based authentication’. The
cardholder is requested to enter an
OTP (challenge) to authenticate
themselves
1 2 3
| 3-D Secure 2.0 Workshop 10
Application-based Payment Example Challenge Flow – One Time Passcode (OTP)
1B
The OTP information is sent to the
ACS for verification
The ACS was able to verify the
cardholder via the OTP and the
cardholder is authenticated
4 5
| 3-D Secure 2.0 Workshop 11
Application-based Payment Example Challenge Flow
Source: EMVCo - EMV® 3-D Secure – Protocol and Core Functions Specification version 2.0.0, October 2016
In the Application-based flow, the 3DS
Client is the 3DS SDK
1B
| 3-D Secure 2.0 Workshop 13
Developing Consumer Experience Approach
Map Research &
Iterate Validate
• Gather market &
consumer data, analyze
• Map existing 3DS 1.0
journey to identify pain
points
• Create set of UI principles
from insight gained
• Internal rapid design
testing to enhance and fix
what doesn’t work
• Test final designs amongst
larger market sample with
quantitative study
1 2 3
| 3-D Secure 2.0 Workshop 14
Challenge with One-time Passcode(OTP) Success
Source: EMVCo – 3DS 2.0 Demo & Webinar
| 3-D Secure 2.0 Workshop 15
Native UI Benefits
• Integrates seamlessly into the Merchant App UI with a user friendly way to enter challenge data
• Merchant look and feel
HTML Benefits
• Allows for use of Issuer branding, Issuer design, and Payment System branding familiar to Cardholder
• Provides flexibility to the Issuer to leverage an established authentication experience for the cardholder
• Can be used for cardholder entry of static data (e.g. answering knowledge based questions)
• Content from ACS (HTML, CSS) is delivered in-band with the protocol
UI Type Global EMVCo study showed that the presence of network and bank logos conveys more clearly to cardholder the trusted party performing authentication
| 3-D Secure 2.0 Workshop 16
Native UI Example
Heading managed by 3DS Requestor
ACS UI Type
Text = 1
Challenge Information Text
Challenge Information Label
“Why” Information Label
Expandable Information Label 1
Expandable Information Text 1
Label and Action Managed by 3DS Requestor
Source: EMVCo – 3DS 2.0 Demo & Webinar
| 3-D Secure 2.0 Workshop 17
HTML Knowledge Based Example
Provided by Merchant App, displayed by SDK
HTML provided by ACS, displayed by SDK
Provided by Merchant App, displayed by SDK
When the cardholder selects “Cancel & Continue Shopping” they are redirected back to the shopping cart.
Source: EMVCo – 3DS 2.0 Demo & Webinar
| 3-D Secure 2.0 Workshop 18
HTML Knowledge Based Alternative Example
Source: EMVCo – 3DS 2.0 Demo & Webinar
| 3-D Secure 2.0 Workshop 21
3-D Secure 2.0 SDK Overview The SDK specifications were published by EMVCo in January 2017 to enable 3DS authentication in mobile-based apps
SDK Specification – Jan 2017
SDK Device Information – Jan 2017
Describes the device identification parameters
collected by the SDK
Provides framework for creation of testable SDK the handles all of
the functionality of 3DS within apps
Provides insight on the implementation of the SDK
SDK Technical Guide – March 2017
A B C
| 3-D Secure 2.0 Workshop 22
What is the 3DS SDK Design Specification? An SDK, or Software Development Kit, is a programming package that allows a developer to provide specific functionality within an app
Security requirements &
guidelines
Definition of consistent &
testable interfaces
UI mapping framework &
best practices
Data & error handling
requirements & guidelines
The 3DS SDK specification provides the framework for creation of a testable
SDK that handles all of the functionality of 3DS within apps
P
P
P
P
3DS SDK Spec is not:
• Distributable software
package
• Detail of how to develop 3-D
Secure SDK interfaces
• Detail on how to implement
/ develop requirements
• Detail on how to code UI
X
A
| 3-D Secure 2.0 Workshop 23
SDK Component Architecture
Source: EMVCo - EMV® 3-D Secure – SDK Specification version 2.0.0, January 2017
| 3-D Secure 2.0 Workshop 24
What is 3-D Secure SDK Device Information? Device Information shall be used to identify mobile devices in the 3-D Secure ecosystem
Example Common Parameters
The 3-D Secure SDK Device Information document describes the device identification parameters
that shall be collected by the 3-D Secure SDK
Example Device-specific Parameters
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
| 3-D Secure 2.0 Workshop 25
What is 3-D Secure SDK Device Information? Device Information also includes environmental information
Security Warnings
The 3DS SDK shall check the condition of the device during initialization. The SDK shall make the
result of the checks available as a list of warnings to the Merchant App and include them in the
Device Information JSON data
Source: EMVCo - EMV® 3-D Secure – SDK Device Information version 2.0.0, January 2017
B
Security
Warning ID
Description Severity Level
SW01 The device is jailbroken. HIGH
SW02 The integrity of the SDK has been tampered. HIGH
SW03 An emulator is being used to run the App. HIGH
SW04 A debugger is attached to the App. MEDIUM
SW05 The OS or the OS version is not supported. HIGH
| 3-D Secure 2.0 Workshop 26
What is the 3-D Secure SDK Technical Guide? Provides insight on the implementation of the SDK. Examples and code samples are contained in the technical guide to give guidance on how a certain functionality can be implemented
Content Description
Overview and Scope
• Covers the iOS, Android and Windows Phone platforms
• EMVCo does not intend to maintain the SDK Technical
Guide
Implementation of Transaction Flows • SDK initiation
• Frictionless flow, challenge flow
Security & Cryptography
• Device data encryption
• Diffie-Hellman process, JWS signature checking
• Encryption of CReq / decryption of CRes
• Implementation of security requirements
User Interface Implementation • Navigation, examples, UI Customization, accessibility
Merchant Implementation Considerations
• Including 3DS 2.0 SDK in 3DS Requestor App
implementation
• SDK initiation, transaction initiation
• Implementing the AReq / ARes-phase
• Deciding to proceed to challenge flow
• Returning to 3DS Requestor App from SDK
Source: EMVCo - EMV® 3-D Secure – SDK Technical Guide – DRAFT – Dec 2016
C