Payment Authentication vs. Authorization: What Is the Difference?

In consultations with new clients, E-Complish is often asked if authentication and authorization are the same. Whether in the context of online payments or otherwise, the answer is a resounding “no”; they are two distinctly different processes.

Let’s break down the differences between payment authentication vs. authorization and explain how these processes work so you understand their differences and applications.

Payment Authentication Defined

What does it mean to authenticate your payment? In the payment space, the authentication process confirms an individual has the right to access funds from an account or use it to make a payment because of who he or she claims to be.

For example, when a consumer enters a PIN into an ATM keypad to access funds from a bank account, the PIN serves as a security token used to authenticate the consumer’s identity as the account owner.

Another example might be when a consumer attempts to use a credit card number to make a payment; the card issuer checks such details as the card number and type, its security code, and the cardholder’s billing address for authentication purposes.

The increasing incidence of fraud in recent years has led to the use of two-factor authentication and, sometimes, multi-factor authentication.

Two-factor or multi-factor payment authentication relies on a combination of different “items” or means of verifying a user’s identity. These include something a person has, something a person knows, and something a person is.

Something a Person Has

A device on which payment is made (like a mobile phone, computer, or tablet) or an account the person controls. Identity can be verified (authenticated) by sending a code to a device via email or text or by recording the IP address of a device when a consumer logs in to his or her account.

Something a Person Knows

This can mean login and password information, as well as the last four digits of an individual’s Social Security number, address, phone number, or data only the actual account holder or someone very close to him or her would know as the next of kin or spouse.

Something a Person Is

Here, payment authentication occurs through biometric data, such as thumbprint scanning and facial recognition software. Biometric payment authentication is an increasingly popular alternative to traditional passwords and PINs due to its advanced security.

As you can imagine, physical characteristics are much more complex to replicate than passwords or PINs.

Payment Authentication vs. Authorization

Authentication is verifying someone’s identity, while authorization verifies what applications, files, and data a user can access. An analogy would be an airline confirming who is allowed on board and what services they can access.

Similarly, in the digital world, authentication is used to verify that a user is who they say they are, and authorization is then used to grant them permission to access different levels of information and perform certain functions depending on the rules set for different types of users.

Examples of payment authentication include the following:

• One-time pins – Codes sent via text, email, or phone call;
• Authentication apps – Generates a unique security code that changes every few minutes;
• Biometrics – Verifies a person’s identity through fingerprint, retinal scan, or facial recognition.

Examples of payment authorization include the following:

• Grants data through access tokens;
• Has policies that are managed by a security team;
• Grants or denies access to resources;
• Is not seen or changed by the customer.

What Are Popular Payment Authentication Tools?

As the global economy and technology become increasingly intertwined, secure and reliable payment authentication tools are more important than ever. Below are common tools used to validate transactions, protect payment data and increase customer trust.

3D Secure 2 (3DS2)

3-D Secure (3DS) is a global standard for verifying CNP and digital transactions. It works by having merchants, and payment providers send data to financial institutions to determine the risk associated with a particular transaction. Billing address, transaction history, device ID, purchase amount, and geolocation are the information used to authenticate the customer’s identity.

The cardholder’s bank will then respond depending on the risk level, either allowing the transaction to pass through a frictionless flow with no further data needed from the customer or by requesting the user verify their identity via email, text message, or phone call. This approach is called risk-based authentication.

Address Verification Systems (AVS)

Address Verification System (AVS) is an anti-fraud measure that compares the billing address supplied by the customer and the one on record with the credit card company. When the customer enters their billing address, it is checked to see how closely it matches the address held by the card issuer.

The transaction may be approved, canceled, or under manual investigation, depending on the match. Although AVS can be used with other authentication methods, it can be circumvented if fraudsters use social media or other techniques to uncover the cardholder’s address before the transaction is complete.

Therefore, it is not foolproof. Even if a customer is legitimate, their billing address may not match the card issuer’s address on file. This could be due to the cardholder recently moving or an incorrect address in the record. If this happens, a merchant could mistakenly deny a valid transaction.

Card Verification Value (CVV)

The card verification value (CVV), also known as a CID or card identification number, is a three- or four-digit code printed on the back of debit or credit cards. This code is used to verify that the cardholder has physical possession of the card they use to make a purchase. The CVV code cannot be obtained through a card skimmer, making it a robust security feature for online transactions.

Challenge-Handshake Authentication Protocol (CHAP)

CHAP is a challenge and response authentication protocol that Point-to-Point Protocol (PPP) servers employ to confirm the identity of a remote user. After the remote user starts a PPP link, CHAP verifies the person’s identity without revealing the password.

To do so, CHAP creates a cryptographic hash with the shared secret (password) and the MD5 message digest algorithm. Through a three-step handshake, CHAP verifies the user’s identity in contrast to the Password Authentication Protocol (PAP)’s two-step process.

CHAP is usually utilized with PPP to authenticate a remote user and is employed during the session to reauthenticate the user. PAP and CHAP are widely used to establish a connection to an internet service provider over dial-up lines, switched circuits, or dedicated links.

Geolocation & behavioral analytics can prevent fraudulent transactions via CHAP by providing context to authentication. Geolocation analytics can identify & block suspicious locations, while behavioral analytics can detect anomalies (e.g., long response times, incorrect responses) to differentiate genuine & fraudulent requests.

Geolocation

Generally, international transactions are considered at a higher risk for fraudulent purchases. To ensure strong payment authentication in card-non-present transactions, Geolocation is a valuable tool. It uses wifi signals from devices to identify the geographic location of payers.

Although it does not confirm the user’s identity, the transaction will likely be declined if a card registered in one country is used in another. The cardholder then needs to contact the issuing bank. Geolocation is not always 100% accurate, but it can offer data to help with the fraud scoring process.

Behavioral Analytics

As credit card processors and banks become more advanced, so do scammers. To combat this, behavioral analytics has emerged as a helpful data-driven, anti-fraud tool. This technique is based on obtaining data from payment processors and credit card networks, examining the spending habits of large groups of consumers, and creating individual customer profiles. This allows the system to identify any suspicious or unusual activity and flag it as potentially fraudulent.

Payment Authorization Methods

When a credit or debit card transaction is processed, the card issuer provides the merchant’s acquiring bank with the necessary authentication details (response codes), which may be two digits (such as 00) or a letter and number (N1).

Such payment authorization methods include:

• Credit card authorization: A merchant verifies the customer’s credit card details, such as the cardholder’s name, billing address, and expiration date. This helps to ensure that the customer is a legitimate cardholder and that the card is valid;
• Bank authorization: A merchant verifies that the customer’s bank account is valid. This is done by obtaining a confirmation from the customer’s bank that the account is active and that the customer has sufficient funds to cover the purchase;
• 3D secure authorization: A form of online payment authentication that helps to protect customers from fraud. This method requires customers to enter a unique code, or a personal identification number (PIN), to complete their online purchase. The code is usually sent to the customer’s mobile device or email address.

The acquiring bank will then decide whether the merchant can proceed with the transaction, determined by whether the cardholder has sufficient funds in their account.

A final payment authorization process is then required to transfer the relevant funds into the merchant’s account. Authorization is also essential if a cardholder’s bank account is being debited or a credit or debit card is being used to pay via the ACH network.

Final Thoughts

In conclusion, payment authentication and authorization are essential tools for businesses to protect themselves from fraud and chargebacks. These processes improve the payment process and lead to more sales and better customer satisfaction. Utilizing this technology can help your business provide a safe and secure purchasing environment for its customers.

E-Complish’s payment processing solutions verify customer identity, confirm payment info, validate payment method, and secure customer data via encryption to ensure a safe purchase experience. Request a consultation to find out how our secure payment solutions can benefit your business.