Payment Authentication | A Complete Explanation

Curious about payment authentication? We explain what it is, why it’s important, the methods you can use, and the right tools to do it with.

What Is Payment Authentication?

Payment authentication is the process of confirming a cardholder’s card number or other personal data isn’t being used to make payments without their knowledge. Banks and card issuers, merchants, and payment processors typically use a combination of authentication factors, including any mix of the following:

● Something a person knows, e.g., login information or secret question answers
● Something a person has, e.g., a mobile phone or computer
● Something a person is, e.g., using biometric technology such as fingerprint scanning

The Need for Payment Authentication

When it comes to online and mobile commerce, the need for transaction authentication has never been greater. Global spending on e-commerce reached $4.2 trillion in 2020, a growth of almost 28%. But losses from illegal purchases using stolen credit card numbers are growing nearly as fast.

Banks and card issuers, merchants and payment processors use forms of authentication to protect themselves from fraudulent transactions and chargebacks.

If you’ve ever shopped on the web or through mobile apps, for instance, you’ve likely encountered some form of payment authentication. One-time passcodes, challenge questions, fingerprint biometrics are a few common methods used to confirm your identity and confirm that payments made from your credit card or other accounts are legitimate.

But behind the scenes, card issuers, merchants and financial institutions have a series of authentication protocols beyond simple security questions. Let’s explore a few different authentication methods and how they work.

Card Verification Value (CVV)

The Card Verification Value (CVV) has become a standard method of authentication for ecommerce transactions. Today, most card-not-present (CNP) transactions made using a credit card number require the customer to enter the CVV, a 3- to 4-digit code listed on the front or back of the physical card, by default.


● Prevents online transactions without the correct CVV Code


● Only works when combined with other authentication methods
● Fraudulent purchases are still possible if someone has possession of a credit card, or acquires card details that include the CVV code

How Payment Authentication Works

Payment authentication relies on a series of systems and tools that communicate with customers, merchants, payment processors, card issuers and banks to validate transactions. Different techniques can work independently or together for more accurate authentication. Let’s review a few of the most popular authentication systems.

Address Verification System (AVS)

An Address Verification System (AVS) works to prevent credit card and bank fraud by comparing the billing address on the card with the one provided by the payee. When the customer provides their billing address, that address is scanned to see how accurate it is to the address that is on file at the credit card company.

The card issuer can give a full, partial, or no AVS match. Authentication relies on how closely the address matches. Depending on the AVS match, sellers can approve, cancel, or manually investigate the customer transaction.

AVS works well alongside other authentication methods but falls short on its own. Fraudsters can bypass AVS by using social media and other tools to identify the card owner’s address prior to the transaction.


● AVS is easy to implement
● AVS’s authentication is fast and doesn’t impact the user session


● AVS can be bypassed by criminals with partial knowledge of the address
● AVS alone isn’t enough to provide accurate authentication

Challenge-Handshake Authentication Protocol (CHAP)

CHAP checks a user’s identity during authentication by presenting the user a challenging question. As the challenge questions are sent, the CHAP server already has an expected response in mind. If the user answers that question correctly, CHAP authentication su-cceeds.

This methodology is used to authenticate sessions before login, meaning that this system doesn’t use shared secrets to validate an identity. This is particularly useful in preventing replay attacks, where an attacker reuses stolen credentials.

CHAP is often combined with Password Authentication Protocol (PAP) and used before the customer enters their password. A CHAP challenge request could be a series of security questions, or even a small puzzle, the user must complete.

Like AVS, CHAP isn’t foolproof, but offers excellent protection from replay attacks and works well alongside other authentication methods.


● CHAP stops replay attacks before PAP
● CHAP doesn’t share secrets, meaning criminals cannot steal keys in transit


● Criminals can guess CHAP challenge questions through social engineering
● CHAP alone isn’t enough to provide accurate payment authentication for the user

3-D Secure 2 (3DS2)

EMV® 3-D Secure (3DS) is a global standard for authenticating CNP and digital transactions that allows merchants and payment providers to send contextual and payment information to institutions to assess the risk of a transaction. Information such as billing address, transaction history, device ID, purchase amount, and geolocation are considered when verifying a customer’s identity. Depending on the level of risk, the cardholder’s bank can issue a series of responses to help authenticate the payment.

If there is enough data to authenticate the user, the transaction succeeds through a frictionless flow. No other data is needed from the customer. If the bank believes the transaction is suspicious, the customer is sent through a challenge flow.

The challenge flow requires a user to verify identity via email, text message, or phone call. If the challenge is completed, the transaction may proceed. This methodology is known as risk-based authentication, where transactions are handled differently depending on their level of risk.


● Features frictionless flows that decrease cart abandonment and reduce checkout time
● Uses multiple data points to verify an identity
● Leverages machine learning to identity fraud
● Is consistent with best practices for verifying transactions


● The old version of 3-D Secure (3-DS1.x) was slow and did not support payments made through smart watches, gaming consoles and other IoT devices—issues that have been fixed in 3-DS2

Payment Authentication vs. Authorization

In short, payment authentication validates who a user is, whereas payment authorization gives the user access to a specific resource or functionality. You can think of authentication as having a key to the front door and specific authorizations allowing access to particular rooms inside.

Examples of payment authentication include the following:

One-time pins – Codes sent via text, email, or phone call
Authentication apps – Generates a unique security code that changes every few minutes
Biometrics – Verifies identity through fingerprint, retinal scan, or facial recognition

Traits of payment authorization include the following:

● Grants data through access tokens
● Has policies that are managed by a security team
● Grants or denies access to resources
● Is not seen or changed by the customer

Both payment authentication and authorization work together to verify users and secure transactions. For example, a merchant may use 3-D Secure to prevent fraud and chargebacks while the bank runs an authorization check on the payer’s card to ensure they have enough credit to cover that transaction.

Payment Authentication Best Practices

Authentication must be both accurate and seamless to prevent chargebacks without impacting the customer experience. Here’s how you can implement fast and accurate authentication in your business.

Use Multiple Forms of Authentication

By layering different types of authentication, you decrease your chances of processing a fraudulent charge. While this used to be a more manual process, 3-D Secure accomplishes this by default and only applies additional challenges to suspicious transactions.

Leverage Big Data When Possible

The world is more connected now than ever before. Financial institutions and payment processors can use this data to provide real-time insights into the validity of transactions. Unlike static authentication, machine-learning algorithms are continuously improving to prevent fraud.

Partner With an Expert

Payment authentication is complex. Working with industry experts who protect the customer journey and their identity allows you to focus on other business areas. At Outseer, we leverage the latest 3-D Secure protocol to provide fast, secure, and friendly transactions.

The Outseer Solution

Outseer 3-D Secure provides the best in payment authentication without sacrificing user experience. With the Outseer Risk Engine at its core and informed by intelligence from our global data network partners, Outseer 3-D Secure transparently evaluates each transaction in real time to prevent 95% of all fraud, with only 5% of transactions ever requiring intervention.

In 2020 alone, Outseer saved customers nearly $1.6 billion in fraud losses by authenticating over one billion transactions.

Outseer’s frictionless flow simultaneously minimizes chargeback losses from fraud while reducing operational expenses associated with fraud investigation. Experience the best in fraud protection with Outseer through our free demo.

Jim Ducharme

Chief Operating Officer

Jim is responsible for product strategy and leads the associated product management and engineering teams at Outseer. He has nearly two decades of experience leading product organizations in the Identity marketspace, and has held executive leadership roles at Netegrity, CA, and Aveksa.