Professional Documents
Culture Documents
Sca Authentication Flows Infographic Eur Sep 2019
Sca Authentication Flows Infographic Eur Sep 2019
Under PSD2 (SCA), before In this example, the ‘step up’ is The Bank (or ACS operator)
requesting authorisation, the required and the Consumer’s Bank replies to Merchant via EMV® 3DS
Merchant is required to provide sends a push notification to the with confirmation that cardholder
EMV® 3DS data to the card Consumer’s mobile device with a authentication was successful.
Issuer (Bank) via the Acquirer/ link to the mobile banking app.
PSP for authentication purposes.
EMV 3DS
The Merchant sends authorisation
request including authentication
ACS = Access Control Server, PSP = Payment Service Provider, OTP = One Time Passcode, RBA = Risk Based Authentication, * for fraud-related chargebacks
1
SCA = Strong Customer Authentication, PSD2 = 2nd Payment Service Directive
E-commerce purchase on mobile device or desktop with Credit/Debit/Prepaid card:
Strong Customer Authentication with SMS OTP with ‘knowledge-based’ question or PIN/password
Authenticaton flow
Under PSD2 (SCA), before In this example, the ‘step up’ is The Bank (or ACS operator)
requesting authorisation, the required and the Consumer’s replies to Merchant via EMV® 3DS
Merchant is required to provide Bank sends an OTP via SMS to with confirmation that cardholder
EMV® 3DS data to the card the Consumer’s registered mobile authentication was successful.
Issuer (Bank) via the Acquirer/ number.
PSP for authentication purposes.
EMV 3DS
The Merchant sends authorisation
request including authentication
ACS = Access Control Server, PSP = Payment Service Provider, OTP = One Time Passcode, RBA = Risk Based Authentication, * for fraud-related chargebacks
2
SCA = Strong Customer Authentication, PSD2 = 2nd Payment Service Directive
E-commerce purchase on desktop with Credit/Debit/Prepaid card:
Strong Customer Authentication through a card reader with OTP-generator
Authenticaton flow
Under PSD2 (SCA), before In this example, the ‘step up’ is The Bank (or ACS operator)
requesting authorisation, the required and the Bank’s ACS uses replies to Merchant via EMV® 3DS
Merchant is required to provide the Mastercard Identity Check with confirmation that cardholder
EMV® 3DS data to the card box for the request to enter the authentication was successful.
Issuer (Bank) via the Acquirer/ payment card into the card
PSP for authentication purposes. reader to generate the OTP.
EMV 3DS
The Merchant sends authorisation
request including authentication
ACS = Access Control Server, PSP = Payment Service Provider, OTP = One Time Passcode, RBA = Risk Based Authentication, * for fraud-related chargebacks
3
SCA = Strong Customer Authentication, PSD2 = 2nd Payment Service Directive