Payment authentication explained

Payment authentication is the process of ensuring that the person attempting to make a payment is the legitimate cardholder.

Link to the author's page
October 4, 2023
Link to the author's page
Payment authentication explained

Accounting for 71% of purchases at the point of sale in 2022, credit and debit cards are the most popular way to pay in the US. So it’s vital that your business is able to accept them – be that in-store, online, over the phone, or however you sell to your customers.

Yet the great power of accepting credit and debit cards comes with an equally great responsibility – authenticating them.

That’s why below, we’re explaining exactly what payment authentication is, how it works, and which methods – including AVS, CVV, and geolocation – you need to know about in 2023. 

We’re also breaking down some of the technical terms, such as SCA, 3DS, and PSD2, to bring you a plain-English guide to authenticating your business’s payments – and how the team here at can take the hassle out of the process.

What is payment authentication?

Payment authentication is the process of ensuring that the person attempting to make a  payment is the legitimate cardholder.

Authentication verifies that it’s really them trying to transact – and not a fraudster or thief who’s managed to obtain their card details.

Through this lens, payment authentication is a crucial part of any business’s fraud prevention process – helping you flag many of the different types of online payment fraud, and mitigate the damage they can wreak on your business and brand.

By properly authenticating any payments you take in-person or online, you’ll build trust with your customers, stay on the right side of your compliance and regulatory requirements – and safeguard your bottom line and reputation from the negative impacts of chargebacks.

How does payment authentication work?

To authenticate payments, merchants, payment service providers, and banks rely on a combination of three core factors. These include something the cardholder:

  • Knows (such as a PIN, a password, or the answer to a security question)
  • Has (a device, such as a smartphone, tablet, or computer)
  • Is (their unique biometric identifiers, such as their facial pattern, iris, voice, or fingerprint)

In the industry, these factors are called knowledge, possession, and inherence – and they come into play when Strong Customer Authentication (SCA) is involved.

Some of the specific strategies merchants and card issuers might use to authenticate a payment include – but aren’t limited – to:

  • Sending a one-time password (via email or SMS), which the customer must enter to complete the transaction, or issuing a push notification.
  • Requesting the customer enters the PIN code or password for their mobile banking app or the account they hold with the merchant.
  • Biometric verification: requesting that the customer scans their fingerprint or face, or speaks into their device to authenticate the payment.

Let’s say, for example, that Tim is attempting to buy a new pair of shoes from ASOS.

He logs into his ASOS account with his email address and PIN (proof of knowledge), before ASOS sends him a one-time password via SMS. He receives this on his iPhone (proof of possession), before proceeding to the checkout. Before the transaction goes through, he’s asked to verify his identity through the facial recognition technology on his phone (proof of inherence). He obliges, and the payment goes through.

Typically, merchants and card schemes don’t use all these strategies – or ask for all three factors to be satisfied in a single transaction. However, they’ll use at least one, and – unless they’re SCA-exempt – will be obliged to employ a minimum of two of these strategies in combination.

So what is SCA, exactly – and which businesses need to comply?

Learn more: The future of authentication in payments

How does Strong Customer Authentication work?

Strong Customer Authentication (SCA) is a regulatory requirement of the European Union introduced to reduce the risk of fraud and boost the security of payments.

Ushered in as part of the Payment Services Directive (PSD2), SCA mandates the use of multi-factor authentication in electronic payments. As of 2023, it applies to all online card payments within the European Economic Area (EEA). So, even if your business isn’t based in Europe, you’ll still have to comply with SCA and PSD2 legislation if you do business with European companies, or have a presence in the EEA.

SCA requires you to authenticate your customers using at least two of the three authentication factors we discussed above: knowledge, possession, and inherence.

However, not all businesses accepting credit and debit card payments have to comply with SCA – some merchants are exempt, and can authenticate a payment with just one factor alone.

Payment authentication methods

Let’s unpack some of 2023’s most widely used payment authentication methods: 3D Secure, Address Verification System (AVS), and Card Verification Value (CVV).


3DS stands for 3D Secure – a payment authentication protocol developed by major card networks such as Visa (Verified by Visa) and Mastercard (Mastercard SecureCode).

3DS is the most common form of SCA. So it’s a way of complying with PSD2 regulations, and verifying your customers in a way that reduces not only fraud – but friction, too.

To embed 3DS into your payment authentication setup, can help.

Our 3DS solution is fast and flexible – helping you stay compliant and tackle fraud, safe in the knowledge you’re backed up by machine learning’s advanced, automated algorithms. You’ll benefit from intensive authentication optimizations – including smart retry logic and data enrichment – and from a payment authentication solution that works across all your acquirers.

Read up on’s 3D Secure payment authentication to learn more.


AVS stands for “Address Verification System”. It’s a form of payment authentication that verifies whether the billing address the cardholder provided matches the address the card issuer (that’s the customer’s bank) has on file.

When you perform an AVS check, you essentially compare the numeric portion of the billing address (street number and ZIP code) the customer entered when attempting to make a purchase with the address associated with that bank account.

The AVS check then generates a result code, indicating either an exact match, a partial match, or no match at all (an AVS mismatch). Based on the outcome, you can either pass the transaction as legitimate, or request further authentication from your customer.

AVS is an excellent tool in your fraud prevention toolkit, but it’s not totally foolproof. For one, AVS checks only verify the numeric portion of the address – not the suburb or street name. What’s more, AVS only applies when the cardholder’s address is in the US, the UK, or Canada – so it’s not as effective a fraud detection tool if you do a lot of your business overseas.


CVV stands for “Card Verification Value”, a form of payment authentication that helps verify a transaction’s legitimacy by looking at the three- or four-digit security code located on the back of most credit and debit cards (including Mastercard, Visa, and Discover), or on the front of American Express cards.

CVV checks are particularly important in card-not-present transactions, where – unlike with card-present transactions, such as those made in store – it’s harder to verify that the person making the payment actually has access to the card.

Similarly to AVS checks, asking your customer for the CVV code on their card when they come to make a purchase allows you to cross-reference the code they’ve provided with the one their bank has on file. If there’s a mismatch, it could indicate potential fraud – although the CVV response code provided will give you more information as to the underlying reasons behind the check’s outcome.


Geolocation is the process of determining and verifying where your customer is physically located when they’re attempting to make a purchase.

By comparing the geolocation data from where the customer is – which comes from GPS, wifi triangulation, and IP address analysis – with the physical address on the card, you can assess the transaction’s risk profile. If the purchase is coming from a small village outside of Mexico City, for instance – but the cardholder’s address is in central Paris – it might raise some flags.

That said, the Parisian cardholder could simply be on holiday. Which is why geolocation (or, indeed, any of the payment methods we’ve outlined above) should never be used in isolation, but as part of a toolkit of authentication techniques and technologies. 

How can help you implement authentication

If you accept debit or credit cards, payment authentication is a vital part of the process.

Proper payment authentication not only protects your business from the negative financial and reputational consequences of fraud and chargebacks, but your customers, too.

Authenticating payments you accept also ensures you remain compliant with PSD2 legislation when trading in the UK and EEA, and acts as a signal of trust and legitimacy: demonstrating to partners and customers that you take their security seriously.

What’s more, implementing payment authentication doesn’t have to be difficult. Here at, we’ll help you not only authenticate payments, but do so in a way that actually increases acceptance – while decreasing the complexity of PSD2 compliance. We can help you implement SCA in a way that doesn’t scare your customers away – and instead, reduces the friction in the checkout process.

Plus, our payment authentication is ready when you are – and able to slot seamlessly into your business’s specific needs, goals, and existing infrastructure. You can go live fast or tailor your authentication solution in full with our hosted and non-hosted options. Enabling you to future-proof the way your business accepts and authenticates payments – on a global scale.
Get in touch with our sales team to find out more about authenticating payments, and how our solution can work for you.

Stay up-to-date

Get news in your inbox.

Back to top button
October 4, 2023 11:01
October 4, 2023 11:01