Authentication

What is Strong Customer Authentication

What is Strong Customer Authentication?

The Payment Services Directive (PSD2), has introduced a new regulatory requirement: Strong Customer Authentication (SCA).

The aim of the SCA is to add an increased layer of security for card not present transactions, when making mobile and online payments.

To authenticate the transaction, merchants can verify the consumer's identity with the issuer. To be compliant with SCA, 3D Secure 2 transactions have additional authentication and transaction information within the payment flow.

This new version of 3D Secure, offers a better user experience and helps to minimise some of the friction the authentication adds to the checkout flow.

SCA requires authentication to use at least two of the following three aspects:

  • Something the consumer knows.
    • For example, password or PIN.
  • Something the consumer has.
    • For example, phone or hardware token.
  • Something the consumer is.
    • For example, fingerprint or face recognition.


3D Secure 2 Device Data Collection

When authenticating a 3D Secure 2 (EMV 3D Secure) card payment, Judopay collects specific device data captured via Judokit and our Android and iOS SDKs. We share these details with both the card network and issuing bank.

This is an (EMV) 3DS2 protocol requirement, enabling the card network and issuing bank to recognise repeat transactions from the same device, mitigating transaction risk.



What Device Data is being Collected?

We have implemented the (EMV) 3DS2 protocol and collect the recommended 150 data elements detailed in the (EMV) 3-D Secure-SDK-Device Information Specification document.

See the EMV Specifications & Associated Bulletins page to search for the latest specification document. This information is used in risk analysis by the card schemes and card issuing banks.

Among the data elements collected by Judopay's Judokit are key browser details such as:

  • IP address
  • User agent
  • Browser language
  • System time zone
  • Screen dimensions
  • Colour depth

For in-app payments, our Android and iOS SDKs collect the following key details among others, recommended in the (EMV) 3-D Secure-SDK-Device Information Specification:

  • App-specific device ID:
    • identifierForVendor on iOS
    • ANDROID_ID on Android 8.0 or higher Any apps installed on a previous version to Android 8.0, will observe a global ANDROID_ID instead of an app-specific value.
  • Device model
  • OS version
  • System language
  • System country
  • System time zone
  • Screen dimensions

The Android and iOS SDKs encrypt the device data using a key held by the card network. Judopay’s servers do not have access to this data.

As per the (EMV) 3DS2 protocol, the Android and iOS SDKs perform basic checks to detect rooted devices. Only the Boolean value representing whether the check succeeded or failed, is transmitted to the server.

The components of the Android SDK involved in 3DS2 transactions are obfuscated.



When is the 3D Secure 2 Device Data Collected?

When the consumer taps the PAY button, the payment flow is triggered. The device data is collected at the stage when you call CARD_PAYMENT.

For more information, see 3D Secure 2 Payment Flow.

Collecting device data is a requirement of the (EMV) 3DS2 protocol and is only triggered during the 3DS2 payment flow.



Updated 31 Jan 2025
Did this page help you?
PREVIOUS
Introducing 3D Secure 2
NEXT
3D Secure 2 Payment Flow
Docs powered by Archbee