November 28th, 2018

How to Participate in EMV 3-D Secure & Increase Your CNP Approvals

AUTHENTICATION WEBINAR SERIES

Proprietary & Confidential

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

Today’s Speakers

Director, North America Product Management, Mastercard

Patrick Kelly

SVP, Global Commercialization, Mastercard

Seckin YilgorenVP, Product, Mastercard

Craig Gilbert

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

q Introduction to EMV 3-D Secure & Mastercard Identity Check

q Benefits of participating

q User Experience Demo

q How Mastercard can help enable you

q Enhancements to Mastercard 3-D Secure Construct & Program

q Next steps to implement EMV 3-D Secure for your business

q Mastercard Identity Check Program Roadmap

Agenda

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

EMV3DS“ 3DS 2.0 ”

A new industry standard used to check a consumer’s identity on digital payment transactions

Mastercard’s implementation of EMV 3DSA simple and secure way to verify a consumer’s identity in real-time during a digital payment transaction

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

5

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

3DS 1.0 Standards

3DS 2.0Standards Benefits of 3DS 2.0

AUTHENTICATION METHOD

Static passwords & security questions

Eliminates static passwords for stronger two-factor authentication e.g., risk based,

one time password, biometrics etc. • Greater security

• Greater convenience

INTERFACES Bowser dependent Supports different payment channelse.g., in-app, IoT, browser, etc.

• Better UX • Wider applications

• Great control by the merchant

DATA Only 15 data elements available

Enables 10X more data to be exchanged

• Increased accuracy• Improved decisioning

USE CASES Supports guest check-out only

Supports guest checkout with additional use cases, e.g., provisioning of Card on File, wallets, tokenization,

etc.

• Expanded use• Greater security

DECISIONING Merchants bound by issuer decisioning

Enhances decisioning by increased merchant flow of data

• Greater flexibility

What is changing with EMV 3-D Secure (2.0)?

Global Activation: November 6th, 2018

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

Acquirer BIN

Acquirer Merchant ID

Cardholder Account Number

DS URL

Message, Extension, Version

Acquirer BIN

Acquirer Merchant ID

Card Expiry Date

Cardholder Account Number

DS URL

Merchant Country Code

Message Category, Extension, Type, Version

Purchase Amount, Currency, Date & Time

Recurring Expiry, Frequency

More than 10 X Data

Browser User-Agent

Browser User-Agent

IP address

Browser Time Zone

Cardholder Email Address, Home Phone Number, Mobile Phone Number, Work Phone Number

Cardholder Name

SDK App ID, SDK Encrypted Data, Ephemeral Public Key

SDK Reference Number, SDK Transaction ID

3DS Requestor URL

Browser Accept Headers

Cardholder Account Information (Account Age,

Change, Password Change, Number of Transactions per Day /

Year, Shipping Name Indicator, Suspicious Activity, Payment

Account Age etc.)

Cardholder Account Identifier, Billing Address

Cardholder Shipping Address

Transaction Type

Account Type

Browser Time Zone

DS Reference Number, Transaction ID

EMV Payment Token Indicator

Purchase Date & Time

Recurring Expiry, Frequency

3DS Server Reference Number, Operator ID, Transaction ID, URL

Address Match Indicator

Device Channel, Device Information, Rendering Options

Supported

Message Category, Type

Merchant Name

Merchant Country Code

Merchant Category Code

Merchant Risk Indicator (Delivery Timeframe, Re-order, Pre-order, Gift Card)

3DS Requestor Authentication Information (Method), Challenge Indicator, ID, Initiated Indicator

3DS Requestor Name, Non-payment Indicator, Prior Transaction Authentication information

Instalment Payment Data

Browser Java Enabled, Language, Screen Color Depth, Height, Width

3DS 1.0 Data (Initial Message – VEReq) 3DS 2.0 Data (Initial Message – AReq)

How much more data & insights are leveraged in 3DS 2.0 versus 3DS 1.0?

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

7MARCH 20, 2018

Free from onerous authentication steps

PLAY DEMO

How is the user experience?

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

8

Mastercard’s Full Product Suite Enhances 3DS 2.0

Merchant Issuer

3DS Server Provider

Access Control Server

Mastercard Directory Server & Program Enhancements

RBA Services

2

3

NuData 3DS

Identity Check Mobile

Digital Transaction

Insights

Data Only Payment Authentication Digital Transition Insights

1

4

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

9

Mastercard provides the ecosystem with greater choice to optimize the usage of EMV 3DS

Payment Authentication

Data Only

3DS 2.0 Use Case

FrictionlessExperience

Influence Issuer Approval Decision

No Transaction Latency

Liability Shift Real-time Mastercard Risk

Assessment

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

10

Issuers will receive Digital Transaction Insights for 3DS 2.0 Authentication & Data Only transactions from merchants

Cardholder positive transaction history

Known device with positive association with cardholder

Typical geolocation and IP, behavioral and transaction pattern

Shipping address has been used with the PAN and is the same as last transaction

Suspicious Account Activity

Unknown device with no association with presented cardholder data

Recent High Risk change to Device or Profile Information

PAN associated with fraud event

O

PJ

1

Reason Code Examples:

N

A

B

DF

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

11

Program Enhancements to 3DS 2.0 Construct

NEW Cryptogram

Authorization Data Elements

What is it?The Accountholder Authentication Value (AAV) provides evidentiary support of authentication.The AAV is getting an upgrade to become more simplified and useful.

What is it? The “Transaction ID” is a unique identifier generated for each 3DS 2.0 authentication request. The “Protocol ID” indicates if a merchant requested 3DS 1.0 or 3DS 2.0 authentication

Who does it impact?Issuers and ACSs

Who does it impact?Acquirers & Issuers

2

Network Monitoring

What is it? Ceiling on fully authenticated fraud level

Minimum approval level on fully authenticated transactions

Authentication value (cryptogram) required for all transactions

Who does it impact?Merchants & Issuers

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

1 2 3 4

Stand-In RBA responds to merchant initiated authentication requests when issuer is not able to respond

• Data (Device, Cardholder, Transaction Details) sent to the Mastercard Authentication Network

• Mastercard generates RBAanalysis and score

• Cardholder initiates e-commerce transaction

• Merchant environment collects rich 3DS 2.0 data

• Mastercard Stand-In RBA determines authentication response for 3 Issuer scenarios

• Issuer Card Range not enrolled

• ACS does not respond

• ACS is unable to authenticate

• RBA Scoring Output:

• Low Risk = Fully Authenticated AAV

• Non-Low Risk = Merchant Only Authentication (Attempts)

12

3

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

*= Component requires EMVCo certification

3DS Server*

• Supports 3-D Secure authentication for all payment networks

• Flexible Suite of APIs for merchants, acquirers and/or PSPs to integrate

1

2

Supports authentication all Payment flows

• Brower

• Mobile

3DS Server

1

2

4Mastercard 3DS 2.0 Solutions for

Merchants, Acquirers & PSPs

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

3DS 2.0 Increases Approval Rates & Decreases Fraud

14

+5%Increase in approvals when transactions are fully authenticated1

<8BPSLower digital fraud when dynamic authentication is used2

Global ResultsIncrease Approvals

Reduce Fraud

1. MASTERCARD. Q1 - Q3 2016 DATA, ACROSS ALL CARD TYPES. 2016. 2. MASTERCARD. SECURECODE CARDHOLDER VERIFICATION METHOD (CVM) FRAUD STUDY. 2013.

*Contact your Mastercard representative to engage in a quantification effort specific to your business.

APPROVALS RATES Q4 2017

Case Study

0.6713.01

Cineplex 3DS Txns Canada All eCommTxns

NET FRAUD BPS Q4 2017

85%

97%

Canada All eCommTrxns

Cineplex 3DS trxns

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

15

100+ customers

enrolled globally

Thousand of transactions

processed

Global availability in Nov ‘18

3DS 2.0 & Identity Check Rollout is Underway

Merchants and Issuers live in US &

Europe

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

16MARCH 20, 2018

3DS 2.0 Early Adopter Program Learnings

EMV 3-D Secure processing time is 2x-3x faster than former standard

Merchant must ensure that EMV 3-D Secure data is formatted correctly and present when “conditional” per the EMVco Specification

Merchants, Acquirers and PSPs need to make sure that the authentication data is passed successfully in payment authorization (Account Authentication Value and Security Level indicator)

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

18. Q4 19.Q1 19.Q2 19.Q3 19.Q4

2018 2019

December Identity Check Program Compliance (All)

NovemberIdentity Check / 3DS 2.0Activation (All)

NovemberStand-In RBA service Launch (Issuers)

Mastercard Identity Check Program: Roadmap

July Compliance monitoring for Directory Transaction ID & Protocol ID (Acquirers)

DecemberMastercard Payment Gateway and NuData to offer 3DS 2.0 (Merchants/PSPs)

December 3DS 2.0 Cryptogram requirement (Issuers and ACS)

December Early Adopter Program concludes

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

18

AUTHENTICATION WEBINAR SERIES

Thank You! Please contact Patrick for any additional information

Webinar Recording & Deck will be Sent Out to All Participants

patrick.kelly@mastercard.com

Patrick Kelly

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

19

Acquirer

What Acquirers need to do to be ready for the next generation of 3-D Secure (EMV 3-D Secure) WHAT YOU CAN DO NOW

ü Review documentation, Identity Check Program and Requirements on Authentication Network Information Center via MC Connect

ü Register for Identity Check Programü Ensure Acquirer authorization system is updated to support

new Identity Check data elements (Transaction ID & Protocol ID)

ü Partner with Mastercard to quantify value and ROI for merchant to use EMV 3DS

Access Authentication Network Information Center (MC Connect):ü Access Authentication Network

Information Center on MC Connect

ü Acquire, 3DS Server Provider and Merchant Onboarding Guide

ü SPA 2 Technician Guideü EMV 3DS FAQ

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

20

Issuers

What Issuers need to do to be ready for the next generation of 3-D Secure (EMV 3-D Secure)

WHAT YOU CAN DO NOWü Register in Identity Check Program platform (MC Connect)ü Enroll portfolios in Identity Check Program in Identity Solution

Service Management application (MC Connect)üUtilize Mastercard Stand-In RBA service (no action)ü Register ACS as a service provider with Mastercard ü Select Identity Check compliant challenge method, this is

optional (OTP, Biometrics)ü Initiate project with ACS provider to support new SPA 2

Account Authentication Value (AAV)ü Ensure processor supports authorization logic for Digital

Transaction insights (Data Element 48 Sub element 56)

Access Authentication Network Information Center (MC Connect):ü Issuer, Service Providers,

Operator and Processor Onboarding Guide

ü Utilize checklist in Onboarding guide

ü SPA 2 Technician Guideü EMV 3DS FAQ

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

21

Merchants

What Merchants need to do to be ready for the next generation of 3-D Secure (EMV 3-D Secure)

WHAT YOU CAN DO NOWü Select and integrate with 3DS authentication

environment via an 3DS Service Provider üDefine thresholds for 3DS Authentication and ensure all

EMV 3DS data elements can be passed ü Register on the Identity Check Program via Acquirer ü Ensure Acquirer authorization system is updated to support

EMV 3DS authentication requirements (Secure Payment Authentication 2 (SPA) AAV)

ü Review branding, onboarding, and program requirements

Access Authentication Network Information Center (MC Connect):ü Acquire, 3DS Server

Provider and Merchant Onboarding Guide

ü EMV 3DS FAQ

©20

18 M

aste

rcar

d. P

ropr

ieta

ry a

nd C

onfi

dent

ial.

Future Use Case #3 : Recurring Payments – For e.g. Subscription with possibly variable amount, variable frequency, combined with one-time purchase, with fixed threshold.

Payee Payer3DS for $20 $201

Authentication Authorization Clearing

$25

$20

23

3RI for $20 $20

3RI for $25 $25$20

Use Case #1: Partial/ Split Shipment – For e.g. Ordered products are not all available at the same time. The Merchant decides to ship separately.

Payee Payer3DS for $550 $5501

Authentication Authorization Clearing

$350$200

23

Use Case #2: Aggregator model – For e.g. Market places (e.g. Expedia) managing multiple merchants like combined travel booking of airline, hotel and car rental).

Payee Payer3DS for $800$600

1

Authentication Authorization Clearing

$200$600

23 $200

Payment Use-Cases