In consultations with new clients, we are often asked whether authentication and authorization are one and the same. Whether in the context of payments or otherwise, the answer is a resounding “no”; they are two distinctly different processes. A look at the definition of each one, along with some examples, makes this easier to understand.
In the payment space, authentication is the process of confirming that an individual has the right to access funds from an account or use it to make a payment because he or she claims to be. For example, when a consumer enters a PIN into an ATM keypad to access funds from a bank account, the PIN serves to authenticate the consumer’s identity as the account owner. When a consumer attempts to use a credit card number to make a payment, the card issuer checks such details as the card number and type, its security code, and the cardholder billing address for authentication purposes.
The increasing incidence of credit cards and other types of fraud in recent years has led to the use of two-factor authentication and sometimes, multi-factor authentication. Two-factor or multi-factor authentication relies on a combination of different “items” or means of verifying a user’s identity. These include something a person has, something a person knows, and something a person is.
Something a person has…
In the case of payment authentication, be a device on which payment is made (like a mobile phone, computer, or tablet) or an account the person controls. Identity can be verified (authenticated) by sending a code to a device via email or text or by recording the IP address of a device when a consumer logs in to his or her account.
Something a person knows…
This can mean login and password information, as well as the last four digits of an individual’s Social Security number, address, phone number, or information only the real account holder or someone very close to him or her would know—as the name of a childhood best friend or first college roommate.
Something a person is…
Here, authentication occurs through biometrics, such as thumbprint scanning and facial recognition software.
The authorization follows authentication. It is the process of confirming that a credit card or other payment vehicle is valid and ensuring that the account contains sufficient credit or funds to cover a transaction that is in the works before that transaction is approved.
In the case of a credit card transaction, for instance, the card issuer transmits the authentication information to the merchant’s acquiring bank, which authorizes the payment to the merchant. A final authorization process lets the merchant’s acquiring bank initiate a deposit of funds from the transaction into the merchant’s account. Authorization is also required whenever a consumer’s bank account is debited, or a credit or debit card is charged for payment, via the ACH network.
So there you go! The difference between ‘Authentication and Authorization’ are definitely two different things. Knowing the difference and using the correct wording should help you navigate the ‘Payments World’ just a little bit easier now.
E-Complish’s payment solutions and services allow for proper authentication and authorization. Learn more or schedule a consultation here.