Payment Authentication

March 31, 2022 | 10 min read

Payment Authentication

Payment Authentication: How to Verify Your Buyer’s Identity Before the Sale

Let’s say you’re trying to conduct a card-present transaction. There are some pretty basic ways to know if the customer on the other side of your checkout counter is actually the person they claim to be.

Chip readers and PIN codes can help authenticate the buyer. You can ask for additional validation, too, such as a driver’s license. Plus, if you receive a decline code, you can simply ask the customer to try a different payment method.

It’s a very different story for online payment authentication, though. For the most part, these options are not available for eCommerce merchants. The anonymity of the internet makes it a lot harder to validate customers before a transaction.

That’s not to say it’s impossible, though. Modern payment authentication methods can help you validate buyers and recognize potential fraud with a high degree of accuracy.

In this post, we’ll explain what it means to authenticate payments. We’ll explore some of the payment authentication methods currently available, and see what the near future holds for payment authentication technology.

What is Payment Authentication?

Payment Authentication

[noun]/* pā • muhnt • aa • then • tuh • kay • shn/

Payment authentication is the process of verifying the identity of the party on the other end of a transaction. This is often done by merchants, who need to verify that their customers are authorized to use a specific payment card.

As the name implies, payment authentication most often refers to the process of verifying the identity of a customer during a payment card transaction. You check the information provided by the buyer against that on file with the company that issued the card. If the information doesn’t match, the merchant should check to make sure a cardholder’s account isn’t being used for unauthorized purchases.

This is a necessary step. Experts estimate that more than $1 trillion was lost to cybercrime in 2020; roughly 1% of global GDP that year.

Fraudsters adopt increasingly sophisticated methods to steal cardholder account data. They then use the information, going on a shopping spree at the customers’ expense. Of course, merchants like you are the ones who end up paying the price.

Taking steps to authenticate buyers prior to completing a payment is essential to mitigate risk. How do you do this, though?

What Payment Authentication Methods Are Available?

Most methods you can use to help authenticate customer payments fall into one of four categories:


Ownership, or possession, is based on a physical object in the buyer’s possession. For example, entering a one-time code texted to their phone would demonstrate that the buyer possessed that phone.


This refers to information that only the cardholder should know. A PIN code, for example, or a personal password. It may also be the answer to a security question, such as the name of a pet or the maiden name of a relative.

Additional Question

What is CHAP?

Challenge-Handshake Authentication Protocol, or CHAP, is a 3-way challenge-and-response verification tool. The protocol establishes a temporary token, or "handshake," between your site and the cardholder. The handshake can be periodically checked throughout the session for further security.


Inherence doesn't test what a buyer knows; rather, it tests something that a buyer inherently is. This often means biometric information, and could include a fingerprint, voice recognition, or face recognition.


Data from the buyer’s GPS or IP address is compared against historical buying patterns. Significant variances, such as large orders from a different country, or mismatches between shipping and billing information, may indicate fraud.

Best Tools for Payment Authentication

Different tools let you to obtain authentication information in different ways. Here are just a few of the most common—and most effective—tools for payment authentication:

CVV Code

If you're not requiring your customers to enter the CVV (Card Verification Value) code on all orders, you're ignoring a powerful (and free) authentication device. Having access to this 3- or 4-digit number means the buyer is likely in possession of the actual credit card. The CVV cannot be stored with other cardholder data: thieves cannot obtain that information through a data breach.

Learn more about CVV codes

Address Verification

AVS (Address Verification Service) is used when you request authorization for a customer credit card purchase. It automatically checks the billing address submitted by the shopper against the cardholder's billing address on record at the issuing bank. You'll receive a code that indicates how much of the address matches, and can decide how to proceed from there.

Learn more about AVS

3-D Secure

3-D Secure Version 2.0 and later (or just “3DS2”) checks an estimated 150 verification details automatically and in real-time. Billing address, transaction history, device ID, geolocation, and more are compared to confirm a customer’s identity. Most 3-D secure payment authentication is frictionless. And, unlike the original version, 3DS2 can be used for mobile payment authentication.

Learn more about AVS

Are You Sure That Shopper Is an Authorized Cardholder?



Payment card tokenization means that the cardholder’s primary account number is swapped for an algorithmically-generated token. This digital token represents information, but is meaningless by itself. Even if a fraudster manages to hack the transaction, no actual account details are exposed, meaning the data cannot be used for future fraud.

Learn more about tokenization


Any time a user visits your site, they leave behind hundreds of potential indicators. These include IP address, browser, time zone, operating system, and more. This combined data creates a type of digital “fingerprint” of users based on the device used to access the site. With device fingerprinting, you can block devices associated with known bad actors and use the data to fine-tune your prevention strategy.

Learn more about device fingerprinting


Geolocation uses the wifi signals a device accessed to determine the geographic location of the shopper. Geolocation can’t authenticate the user’s actual identity, but it can supply clues. If a payer's card is registered in the US, for example, but the order is being sent from southeast Asia, it’s worth double-checking to ensure the transaction is legitimate.

Learn more about geolocation

Velocity Checks

When fraudsters identify a valid card number, they’ll typically run repeated transactions as quickly as possible. The goal is to buy as much as possible before being discovered. Velocity checks scan transaction variables such as name, shipping address, and order frequency, looking for information actions within a specified time period. Too many of the same orders could indicate fraud.

Learn more about velocity limits

Payment Authentication vs. Authorization

It’s important to note that authenticating a customer is not the same thing as authorizing a purchase.

Payment authentication helps you identify who a shopper is, and ensure they have permission to use the card in question. Authorization is the bank’s way of telling you the card hasn’t been reported stolen, the account is in good standing, and it has enough cash or credit to make the purchase.

Authentication is your responsibility. It’s up to you to implement one or more methods of identifying customers. Authorization, on the other hand, can only come from the issuing bank. While the two are different, both customer authentication and payment authorization help create redundancies that allow for more secure transactions.

What is Strong Customer Authentication?

Employing at least some type of payment authorization solution is highly recommended for all merchants. In some cases, however, it may be a requirement.

An increasing number of governments are attempting to combat fraud by implementing strict mandates in regard to buyer validation. The use of strong customer authentication (SCA), for example, is now a law in the European market.

Simply put, SCA requires merchants to “double-down” on payment authentication during checkout. Verification by card number, address, and CVV is no longer enough. Transactions in the European Union or the United Kingdom must now verify the buyer’s identity based on at least two factors.

These two-factor checks must be verified to the issuing bank’s satisfaction. If SCA standards are not met, or are not offset by transaction risk analysis, then the transaction will be declined.

Learn more about strong customer authentication

Best Practices for Payment Authentication

Without good payment authentication practices, you’re leaving your business wide-open to fraud and chargebacks. At the same time, authentication methods must be both accurate and efficient, without causing friction at checkout.

Here are some authentication steps you can take to optimize effectiveness while providing a seamless customer experience:

Payment Authentication

Use more than one authentication tool

No single tool can be 100% effective, but a mix of multiple tactics can increase your success. You may have to experiment to find the right mix.

Payment Authentication

Use the most
comprehensive data available

The more data you can cross-reference, the more accurate you can be. Tap into the best data you can find, and use machine learning to constantly fine-tune results.

Payment Authentication

Keep records updated

Your authentication tools are only as good as the information you have on file. Perform regular account checks to update expired card-on-file details.

Payment Authentication

Employ a larger strategy

Payment authentication is a powerful fraud prevention tool, but it’s only one tactic and affects only one fraud risk. It won’t help against other issues, such as friendly fraud.

Get Help

Like every other aspect of fraud prevention, payment authentication can be confusing. A good payment authentication solution can help, but it will still tie up resources. Instead of spending all your time and energy trying to untangle specific needs and regulations, most merchants find they can get a better ROI by working with professionals.

Looking for the most effective ways to prevent fraud and chargebacks while getting back to the business of running your company? Contact Chargebacks911® today to speak to one of our experts.

Like What You're Reading? Join our newsletter and stay up to date on the latest in payments and eCommerce trends.
Newsletter Signup
We’ll run the numbers; You’ll see the savings.
Please share a few details and we'll connect with you!
Over 18,000 companies recovered revenue with products from Chargebacks911
Close Form