Strong Customer Authentication - Update

allpay
Strong Customer Authentication - Update 
 
In February 2020 allpay implemented Strong Customer Authentication (SCA) across both our cardholder and organisation portals.
 
We then later introduced Mastercard 3DS for online transactions, meaning cardholders may be required to enter a One-Time Passcode (OTP) for some online purchases.
 
What is Strong Customer Authentication? 
 
Strong Customer Authentication aims to reduce fraud and make online payments more secure by requiring the cardholder to authenticate their identity using at least two different factors from three permitted categories. 
 
Knowledge: something the cardholder knows (e.g. a pin, the answer to a security question.)
 
Possession: something the cardholder has (e.g. a mobile device, evidenced by receipt of a OTP sent to that device via SMS)
 
Inherence: something the cardholder is (e.g. a fingerprint, face recognition, keystroke dynamics. 
 
We're Making Changes!
 
From the 21st of September 2021 allpay are going to make online transactions even more secure by adding in a knowledge factor at the point of purchase. This factor will utilise the cardholder's transaction history, as this activity should only be known to the cardholder. 
 
When a cardholder makes a purchase online they will receive a One-Time Passcode as they currently do, once confirmed they will then be presented with a question which will prove their identity. 
 
This will include the following: 
 
6 False Transactions - which are randomly generated. Those are the transactions the cardholder would not recognize. 
 
1 Real Transaction - retrieved from the card's transaction history, made up of transactions processed on that card. 
 
And the "I don't recognize any of these transactions" option. 
 
This will look similar to the below:
 
Image

After 3 failed verification attempts, or if the cardholder has not provided a valid answer within 5 minutes, the transaction is declined and the cardholder is redirected back to the merchant with an error message displayed.

 

If the cardholder is successfully verified, their transaction will be processed as normal. 

 
The Future 
 
In time allpay will also offer the Inherence factor as an authentication option. This will only be applied if a cardholder has given explicit consent to permit the processing of their biometric data during the transaction process. 
 
Consent can be given at the time of the transaction, and you do not need to take any further action in order for consent to be gained from you cardholders. 
 
The biometric data that will be collected included how the cardholder inputs the OTP, how they hold their device, and how they move their mouse around the screen. 
 
These interactions (called behavioural biometrics) are strong behavioural signals that are unique to each cardholder. These signals make it possible to limit the probability of an unauthorised party being authenticated as the payer. 
 
Download our MasterCard ID Check Leaflet here
 
We will communicate further to you when this is going to be available. 
 
In the meantime, if you have any concerns or questions regarding these communications, please contact [email protected]
 
 
 
 
OUR ISSUER STATEMENT
The allpay prepaid card is issued by allpay Ltd pursuant to license by Mastercard International Incorporated. allpay Ltd is a company regulated by the Financial Conduct Authority (FRN 900539) for the issuance of electronic money. Head office and registered address: Fortis et Fides, Whitestone Business Park, Whitestone, Hereford, Herefordshire, HR1 3SE (Company No 02933191). Mastercard is a registered trademark of Mastercard International Incorporated.
 
Certified and Accredited to:
allpay
Copyright © 2021 allpay Ltd, All rights reserved.
 
Want to change how you receive these emails?