RSA Announces the Release of Adaptive Authentication for eCommerce 20.6

Document created by RSA Product Team Employee on May 4, 2020Last modified by RSA Product Team Employee on May 4, 2020
Version 2Show Document
  • View in full screen mode

Summary:
RSA Adaptive Authentication for eCommerce is a comprehensive authentication and fraud detection solution for the eCommerce market. The solution is based on the 3DSecure protocol (Visa Secure and Mastercard Identity Check) and is powered by risk-based authentication, an intelligent system that authenticates a user by measuring a series of risk indicators. Transparent authentication provides a user-experience in which a customer is only challenged in high-risk scenarios.

What’s New in Adaptive Authentication for eCommerce 20.6

Adaptive Authentication for eCommerce 20.6 includes these new features, enhancements, and changes:

 

EMV 3DS Certification

Adaptive Authentication for eCommerce is certified by Amex for the EMV 3DS 2.1 protocol, and Visa for the EMV 3DS 2.2 protocol

 

Decoupled Authentication

Decoupled authentication allows customers to authenticate the cardholder separately from the 3D Secure workflow and the cardholder's interaction with the merchant, within a specified time frame. Based on the EMV 3DS 2.2 protocol, in some cases, decoupled authentication can result in a transaction that begins one business day and extends into the next business day, with a limit of up to seven days.

  • In Adaptive Authentication for eCommerce 20.6, the RSA Interface v3.2 sends customers decoupled authentication notifications in real-time, when a decoupled authentication challenge takes place. The challenge can be active for up to 7 days from the start of the transaction.
  • When a decoupled authentication challenge is a required, Adaptive Authentication for eCommerce uses a polling mechanism to check for the authentication result. Polling is more frequent near the start time of the transaction and takes place less frequently as time progresses.
  • The extended timeline for decoupled authentication transactions can affect reporting and transaction data for certain transactions. RDRs now include all transactions that were completed on the previous day, based on the end time of the transaction, as opposed to the start time of the transaction.

 

Support for Merchant Whitelisting Requests

In this release, Adaptive Authentication for eCommerce enables merchant whitelisting requests.

Based on the EMV 3DS 2.2 protocol, the status of the merchant’s whitelist request for this cardholder is included in the authentication request. Adaptive Authentication for eCommerce passes this value to the customer in data elements included in the RSA Interface v3.2.

The customer can decide how to proceed with the whitelist status sent in the request. Based on customer policies, an updated issuer whitelist status is sent back through the RSA Interface v3.2, and that value is placed in a new Policy Management fact, which can then be used to create corresponding rules.

The updated whitelist status and the transaction decision are sent in the authentication response. For the technical impact of this feature, see Technical Impact of Support for Merchant Whitelisting Requests.

 

Mastercard Message Extension Support

Adaptive Authentication for eCommerce 20.6 supports the use of Mastercard message extensions for EMV 3DS 2.1 and 2.2 transactions.
Mastercard message extensions allow you to use additional elements relevant for PSD2 SCA as recognized by Mastercard, in addition to leveraging selected features of the EMV 3DS 2.2 protocol that will be available in addition to EMV 3DS 2.1 elements.
All the elements that are captured from the authentication request using Mastercard extensions are available in the Policy Management application. For the technical impact of this feature, see Technical Impact of Mastercard Message Extension Support.

 

RSA Interface v3.2

This release of Adaptive Authentication includes a new release of the RSA Interface. Version 3.2 includes these functionality enhancements:

  • Additional Encryption Support. This version of the RSA Interface includes support for encrypting messages using the RSA-OAEP-256 algorithm, in addition to the currently supported RSA-OAEP algorithm. For more information, see the RSA Interface v3.2 User Guide.
  • 3DS Requestor Initiated (3RI) Authentication Support. 3RI transactions are transactions that are initiated by the merchant when the cardholder is not present in the session. 3RI transactions can be used, for example, to authenticate the cardholder, to collect a recurring payment, or when a subscription- based merchant wants to confirm that an account is still valid.
    3RI transactions are supported by the EMV 3DS protocol. In EMV 3DS 2.1, 3RI non- payment transactions are supported, and in EMV 3DS 2.2, both payment and non- payment 3RI transactions are supported.
    For the technical impact of this feature, see Technical Impact of RSA Interface v3.2 Support for 3RI Authentication.
  • Support for Including a One Time Password (OTP) in an Out-Of-Band (OOB) Authentication Workflow. Adaptive Authentication for eCommerce 20.6 includes support for including an OTP in an OOB Authentication workflow. The OTP can be sent to RSA for presentation to the cardholder so that the cardholder can then enter this OTP into the OOB authentication mechanism. For the technical impact of this feature, see Technical Impact of Support for Including an OTP in an OOB Authentication Workflow.
  • Redirect URL in OOB Authentication Workflows for Applications. To simplify the user experience, in EMV 3DS transactions, the merchant application URL can be included in the CReq during OOB authentication workflows for applications. This allows the issuer to automatically redirect the cardholder to the merchant application upon successful authentication. For he technical impact of this feature, see Technical Impact of Support for Redirect URLs in OOB Authentication Workflow.
  • Additional Data Elements Added to RSA Interface messages. New data elements are included in this version of the RSA Interface. For the technical details of the new data elements, see Technical Impact of New Data Elements in RSA Interface v3.2.

 

New Rule Simulator

The Rule Simulator Analytics Report allows you to use the most frequently used risk indicators as filters on real time data to simulate the impact of new rules or  editing existing rules on your data set. For more information, see the Back Office User Guide.

 

Risk Score Included in NPA and 3RI transactions

Adaptive Authentication for eCommerce 20.6 now includes the risk score generated by the RSA Risk Engine in NPA and 3RI transactions.

 

User Interface Enhancements

  • When an end user has configured only one contact method, you can display the contact information without indication of a choice selection.

  • This release of Adaptive Authentication for eCommerce includes inline validation of free text entered for OTP and token values in challenge screens. You can display an error message immediately on the screen if the OTP or token do not comply with formatting requirements.

 

Documentation Enhancements

  • This release includes these changes to the Back Office API Reference Guide:
    • All message samples were replaced with up to date messages.
    • Editorial changes were made to improve readability and the user experience.
  • This release includes an updated RSA Interface v3.2 User Guide, containing updated information for RSA Interface v3.2.


Reminder: RSA Recommends Upgrading to RDR v02

In Adaptive Authentication for eCommerce 20.5, RSA introduced concurrent support for multiple RDR versions. While RDR version support allows you to incorporate the updated fields at your convenience, after implementing the necessary development changes, we recommend implementing the new RDR version before EOL to leverage the new specifications of the EMV 3D Secure protocol (3D Secure 2.0) and provide enhanced visibility into your fraud landscape. 

RDR v01 will be declared End-of-Life (EOL) in August 2020.

For detailed information about the new RDRs, see the Adaptive Authentication for eCommerce 20.5 Release Notes and the RDR User Guide.

 

 

Technical Impact of New Features

This section provides the details of the technical impact of each of the new features.

Technical Impact of Merchant Whitelisting Request Support

  • The Policy Management application includes a new Merchant Details fact: IssuerWhitelistStatus. For more information, see the Back Office User Guide.
  • The RSA Interface v3.2 includes these new data elements to support merchant whitelisting requests:

     

    RSA Interface MessageDate Element
    getCardInfo RequestWhitelistStatus
    WhitelistStatusSource
    getCardInfo ResponseWhitelistStatus

     

Technical Impact of Mastercard Message Extension Support

The Policy Management application contains these new facts for transactions using the MasterCard Message Extension with the ID: A000000004-merchantData:

Fact CategoryFact Name
Merchant Details FactsAcquirer Country
Merchant Fraud Rate
Transaction Details FactsSecure Corporate Payment
 

Technical Impact of RSA Interface 3RI Authentication Support

These new data elements are now included in the RSA Interface v3.2 to support for 3RI authentication. For more information about these elements, see the RSA Interface v3.2 User Guide.

 

RSA Interface MessageModification
getCardInfo RequestNew TransactionType: ThreeRI Based (2.0)

New data elements added:

  • threeDSRequestorChallengeInd
  • threeDSRequestorAuthenticationInd
  • messageCategory
fetchAvailableAliases RequestNew TransactionType: ThreeRI Based (2.0)

New data elements added:

  • threeDSRequestorChallengeInd
  • threeDSRequestorAuthenticationInd
  • threeDSRequestorDecReqInd
  • threeDSRequestorDecMaxTime

 

Technical Impact of Support for Including an OTP in an OOB Authentication Workflow

  • In the availableAliases object, there is a new aliasType: OTPuOOB
  • The initiateOOB Response message includes a new data element: otpValue

For more information, see the RSA Interface v3.2 User Guide.

 

Technical Impact of Support for Redirect URLs in OOB Authentication Workflow

The initiateOOB Request contains a new data element: threeDSRequestorAppURL. For more information, see the RSA Interface v3.2 User Guide.

 

Technical Impact of New Data Elements Added to the RSA Interface

These new data elements are now included in the fetchAvailableAliases request:

  • ruleID
  • ruleName

For more information, see the RSA Interface v3.2 User Guide.

 

For additional documentation, downloads, and more, visit the RSA Adaptive Authentication for eCommerce page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes