May 29, 2023
by David Goodale
What is Two-Factor Authentication for payment processing?
(Slightly edited from video transcript for greater readability)
Hello, David here at Merchant-Accounts.ca. Today I'm tackling an easy question, what is two-factor authentication for payment processing? Stay tuned, we'll dig in in one second.
Now I'm going to start by talking about traditional online security.
You have AVS (Address Verification Service), that's where the customer types in their billing address, and you get the address verification security result.
Of course, on the back of your credit card, you also have that little three-digit number called the CVV code (Card Verification Value), that is an additional security check that people can utilize. It's like an extra thing that the credit card processor can tell you if it matched when an e-commerce transaction is processed.But sometimes that's not enough, and that's where something like two-factor authentication comes in. That's where when the customer purchases something online, the transaction process is halted and a third-party kicks in. That third party is almost always the card issuing bank. That's where the card issuer won't let the transaction be approved unless the cardholder does something.
They have to take a second step, a second factor of authentication. Commonly that can a text to your cell phone. We got this order from Swiss for $50, press one if this is a legitimate transaction. Then the customer does it and the bank has now gone through the second factor of authentication. When the e-commerce transaction is processed then that second-factor authentication token is passed through with the transaction. Your credit card processor knows that this passed the second factor of authentication, it's more secure. I'm going to stop there because if you want more content on the technical specifics of, two-factor authentication, leave a message. When the transaction gets processed, the customer's doing this extra step, but it doesn't have to be a text.
It could be a phone call. The customer's card issuing bank calls the number on file, and says, hey, we've noticed your credit card's trying to be used at this merchant. Is that you? Your answer, you say yes. Again, you get the token. It could be a lot of folks. I noticed, my friends from the UK in particular, they'll have apps on their phones the bank app sends a notification to the phone and they scan their fingerprints on the fingerprint reader on the phone. That passes the second factor of authentication.
Two-factor authentication operates between the card issuing bank and the card holder
Now, here's an important bit. How the second factor of authentication works is between the card issuing bank and the cardholder. That's not up to you, the merchant, you don't have to deal with it, it's just going to magically happen. Visa and MasterCard have taken care of that for us thankfully. Now, just as a side note, in the European Union, there is a directive called SCA (strong customer authentication). That two-factor authentication is mandated in Europe for e-commerce transactions. Customers can't purchase online without going through it. I probably should have mentioned this a little bit earlier. The service that's most commonly used to do the second factor of authentication is called 3D secure. 3D security is the service offered by the card brands that it's the technical component that integrates two-factor authentication. I have a feeling I'm not doing a very good job of explaining this today.
When you're setting up your website and you want to use two-factor authentication, you would say to your credit card processor, I want to use 3DSecure. 3DSecure is the service used to do two-factor authentication. Every time you do run a transaction that is 3DSecure, and approved, i.e., it passed two-factor authentication. As a merchant, you can't get a chargeback for fraud. I should have, let me rephrase that. As a merchant, you can't get a chargeback for fraud. People can still call their bank and say, hey, I bought some shoes. The merchant never shipped them to me. If you utilize two-factor authentication, with 3DSecure you get the second factor of authentication approved. In other words, if the customer types in the text code on their cell phone, whatever they have to do, they cannot get a chargeback for fraud. It is a wonderful service.
I hope you found this video helpful. If you have any comments please leave a message. It's the second step in the e-commerce checkout process. Thanks for watching and have a nice day there. Bye now.
Need professional guidance?
Contact us for a free one hour consultation.
Can I Help Lower Your Processing Fees?
If you found this content helpful, will you give me the opportunity to quote on your business?