Guide: How to optimise authentication for card payments

Our e-commerce report launched last year shows that card remains the most preferred online payment method for 72% of respondents. Businesses cannot expect to operate successfully online without accepting card payments. 

One major issue with card payments is the risk of fraud and chargebacks. SABRIC reports that card-not-present (CNP) transactions accounted for 68% of total card fraud losses in 2023. Fraud is expensive – it leads to chargebacks, liability and loss of customer trust. To protect their revenue and their customers, merchants must implement card authentication measures.

What is card authentication?

Card authentication is the process of verifying that the person making the transaction is in fact the legitimate cardholder. It helps prevent unauthorised card use by ensuring that the rightful owner is completing the payment.

Authentication differs from authorisation. Authorisation occurs when the card issuer (i.e. the cardholder’s bank) confirms that the card is active and has enough funds to complete the transaction. 

Types of card authentication

Merchants need to understand different authentication methods that are available to them. Each one will have a different impact on how well fraud prevention, interchange fees (paid to the acquiring bank) and liability in the event of fraud (who covers the fraud losses). 

CVV/CVC Authentication (Basic Verification)

CVV/CVC (Card Verification Value/Code) authentication verifies the cardholder by confirming that they have the physical card with them. It requires the payer to enter the three-digit (Visa, Mastercard) or four-digit (Amex) security code printed on the card.

• Impact on interchange: Merchants pay higher interchange fees with this method because CVV alone does not prove rightful ownership—the card could be stolen.The fee is higher to compensate the issuing bank for the potential fraud losses.
• Liability shift: If the merchant fails to ask for the CVV, they will be liable for losses.  However, CVV alone doesn’t shift liability. Visa and Mastercard typically keep the merchant liable unless they also use 3D Secure authentication.

While CVV provides a measure of security, this authentication level is less effective at preventing fraud and is more expensive for merchants. 

3D Secure (3DS) Authentication

3D Secure (3DS) authentication verifies the cardholder by confirming their identity through the issuing bank’s security process. It may involve risk-based authentication, one-time passwords (OTPs), biometrics or approvals via banking app.

• Impact on interchange: The interchange fees are lower for authenticated transactions because the multi-factor authentication makes transactions more secure, reducing chargeback costs for the issuer. 
• Liability shift: If authentication is successful, liability shifts from the merchant to the card issuer – the bank that authenticated the cardholder’s transaction. 

3DS is a robust card authentication protocol that comes at a lower cost for merchants looking to protect profit margins from transaction costs. In addition, the merchant is protected from fraud losses.

However, merchants must also consider the impact of additional security measures like 3DS on the payment experience and flow. More steps to payment means more barriers and potential for dropoff.

Tokenisation and Device Authentication (Apple Pay, Google Pay, Samsung Pay)

Tokenisation and device authentication are linked to digital wallet payments. The card details are replaced with a secure token, and authentication is done through biometrics (i.e. facial recognition or fingerprint) or device PIN.

• Impact on interchange: This type of authentication is treated as 3DS authentication for digital wallets, so merchants will have lower interchange fees.
• Liability shift: In Europe, the issuer is liable for any potential fraud damage, as transactions are strongly authenticated. However, in South Africa, the South African Reserve Bank (SARB) and Payments Association of South Africa (PASA) are in discussions to determine if the liability should be shifted to the issuing bank.

While this option offers greater flexibility for customers and comes with lower interchange fees, merchants need to understand how liability is shifted with the issuing banks. 

Why Stitch for card payments

Stitch is a trusted card payments partner, processing online and in-person card payments on behalf of leading enterprises. Our solution ensures card authentication is made easy and accessible to merchants, with flexibility in the form of adaptive 3DS, and additional prevention via our AI-powered fraud engine, Stitch Shield.  

Optimise your card solution with:

• Full redundancy and high uptime: Achieve transaction reliability with 99.95% uptime thanks to our direct connections with multiple acquirers, redundant 3DS providers and automated processor failovers.
• Dynamic 3DS: Tailor 3DS settings to meet your risk appetite, and optimise conversions. Choose which transactions to authenticate via API-based risk scoring, pre-configured rules or with our risk engine. 
• Flexible integration: Choose from our fully customisable Stitch-hosted pages, embedded form fields or API-only integration options. 
• Seamless token migration: Merchants own their card tokens and can migrate to another PSP at any time, ensuring flexibility and vendor independence.

‍