myPOS blog Tips

What is Payment Authentication: Meaning, Types and Payment Authentication Solutions

Payment fraud is a serious concern for both merchants and consumers who shop online. Having your card details stolen is a serious risk to your sensitive financial information. Meanwhile, merchants face the risk of chargebacks, fraud and other issues if payment authentication is not accurate.

Payment authentication was introduced to address this concern. And while it is not absolutely perfect, it does offer much greater assurances of online payment security to both consumers and merchants.

If you are wondering about payment authentication, how it works, and where you can find the ideal solution, this article is for you. Keep reading to learn more about the authentication process and the different types of authentication you can rely on.

What is payment authentication?

Preventing fraudulent transactions in the space of card-not-present transactions or online CNP payments has become a critical imperative over the past few years. As part of the European Union’s Payment Services Directive (PSD), this European regulation ushered in Strong Customer Authentication (SCA) to reduce fraud.

SCA mandates the use of multi-factor authentication. As such, payment authentication came into being. It ensures that only the cardholder (the legitimate one) can proceed and make their online purchase when payments are made. With the help of entering essential and sensitive personal details in the merchant’s checkout process, it is possible that only the user knows, has or is.

These authentication factors in electronic payments are commonly grouped into three categories or three authentication factors:

  • Knowledge: This refers to information that only the customer has or has access to. For example, they can enter a PIN or a one-time passcode they received when making a payment online to confirm they truly are the legitimate cardholder of the card used to make the payment. It can also be a password or a security question that only the cardholder knows.
  • Possession: As the name suggests, possession refers to something the cardholder possesses. This can include physical things such as smartphones, computers, tablets, etc.
  • Inherence: This identifying factor focuses on biometric authentication, which considers the cardholder’s biometric details, such as an iris scan, voice recognition, facial recognition, fingerprint scan, or something else.

In this context, most cardholders must “prove” at least two of the three factors mentioned above. It is not compulsory to use all three at the same time. In addition, some cardholders and merchants are exempt from using payment authentication solutions.

How does payment authentication work?

Payment authentication works when a person seeks to make online card payments. On the merchant’s checkout page, they are prompted to enter their credit or debit card data. This includes the cardholder name, the PAN number, the card’s expiry date and the Card Verification Value, which is often found on the back of the card.

However, before payment can proceed, the cardholder must prove their identity. This is where the different payment authentication methods come into play. We cover these in more detail below.

When one or two of the card verification criteria are launched, the cardholder must enter a PIN, password, biometric information or other means of authenticating themselves before the transaction proceeds. The payment authorisation process kicks in once there is a “match” regarding the identifying factors.

Payment authentication methods

Payment authentication methods

To protect merchants and cardholders alike, several payment authentication methods must be considered. These include 3D Secure, Address Verification Systems, Card Verification Value, geolocation, and the challenge handshake authentication protocol: CHAP. Let’s explore each one in more detail below.

3D Secure

3D Secure is an authentication protocol developed by card networks such as Visa and Mastercard. This is one of the most common ways in which Strong Customer Authentication is implemented. It can create a frictionless payment experience or introduce challenge payment flows where the customer’s identity is proven through two-factor authentication.

Address Verification System (AVS)

Other authentication methods include AVS or Address Verification System checks. This is a payment authentication process during which the customer enters their billing address, which is matched against what the cardholder’s bank or card issuer has on record for that customer.

However, matching the cardholder’s address comes with a few challenges. One is that this method is often limited to the US, UK, and Canada. The second reason is that only the numerical portion of the address is checked, such as a street number or postal code.

Card Verification Value (CVV)

The Card Verification Value (CVV) is a three – or four-digit number that usually appears at the back of a customer’s card. This information should, in theory, only be known by the genuine cardholder, as the card should only be in their possession. These checks are important because they help to verify the cardholder’s identity and prevent identity theft.


Furthermore, it is possible to consider the cardholder’s geolocation and determine the risk of a potentially fraudulent transaction. For this, GPS, Wi-Fi triangulation and IP address analysis in terms of the user location are carried out and are then compared with the physical address on the card.

Challenge-Handshake Authentication Protocol

Under the Challenge Handshake Authentication Protocol or CHAP, a cardholder is asked to correctly answer a secret question with an answer only they know.

With CHAP, the answer would have previously been recorded and stored on the CHAP server. This means that whenever a customer answers the question, their response is evaluated against the information that is already in the system.

Another element of the CHAP method of authenticating payments is generating different questions for each session. This ensures that user passwords and secret answers are protected from fraudulent actors.

Overall, these authentication methods aim to ensure greater security, minimise risks and optimise payment authentication.

Payment authentication vs authorisation

Whereas payment authentication works with online payment transactions, payment authorisation takes place on a different level. This authorisation process after the multifactor authentication, such as a push notification, has passed successfully. 

During the next stage of online transactions, the merchant’s bank, the customer’s bank, and the acquiring bank communicate to determine whether there are sufficient funds in the cardholder’s account. If there aren’t, the transaction is declined.

If there are, the payment is authorised and is transferred into the merchant’s account. This process is called payment authorisation.

What are the key challenges in payment systems?

Creating a secure financial environment is an important challenge to address. However, it is not always easy.

Some of the most important issues to deal with include:

  • Continued threats from fraudsters using sophisticated methods;
  • Ensuring compliance with regulatory requirements;
  • Lack of cross-border standardisation;
  • The need for continued evolution to adapt to changing threats.
Common solutions in payment authentication

Common solutions in payment authentication

Ensuring strong authentication means ensuring that merchants and customers are protected.

However, this requires working with a payment service provider that can engage in addressing issues such as:

  • Identity theft;
  • The use of stolen card details;
  • Refund fraud;
  • Bank identification number (BIN) attacks;
  • Card testing;
  • Triangulation fraud;
  • Account takeover.

Ultimately, merchants can boost their conversion rates while cardholders ensure that their digital transactions undergo a stringent verification system to ensure a smooth and safe purchase process.

Does my business need to use payment authentication methods?

If you run an online or e-commerce business, ensuring you can request authentication is critical. A business initiating payment authentication is sound and builds trust and credibility among its audience and buyers.

As such, any online business should focus on complying with industry regulations and ensuring they have the right payment authentication methods in place for a safer online shopping experience.

How can myPOS help you implement payment authentication methods?

myPOS is a fintech services provider aimed at helping merchants, both physically and online, offer their customers a safe and secure payment experience.

With full regulatory compliance in place, we can assist you in ensuring that your online business meets industry standards and is fully compliant with the law regarding payment acceptance.

Plus, with us, you get a free merchant account, which you can access from a mobile app. This enables you to check your transaction history, make and receive payments instantly, among many other advantages.

With 3DS2 securely in place, isn’t it time you ensured your business remained competitive while accepting multiple payment methods?


Payment authentication is a critical component of any online business offering. It ensures regulatory compliance and assures customers that their sensitive cardholder details are safe when they shop at your online store.

If you need any help or advice on implementing Strong Customer Authentication and remaining compliant, don’t hesitate to contact us. Our friendly and helpful team is ready to help.

Frequently Asked Questions

Strong Customer Authentication (SCA) is a regulatory directive that ensures a banking card that a user possesses is truly their own. It uses multiple methods of authentication to confirm the cardholder’s identity.

Whether through a mobile banking app or an embedded segment of the merchant’s checkout, a cardholder must enter a PIN or an OTP before the transaction can proceed from authentication to authorisation.

Payment authentication is the process of verifying a cardholder’s identity through means such as the user’s location, device identification or other methods. On the other hand, failed payment authentication means that the cardholder was unable to prove they are the legitimate owner of the card in question, and the online transaction will not proceed. Through behavioural data analysis, payment processors deny authentication due to a perceived level of risk.

Related posts