Nowadays, online transactions can be conducted using multiple internet-enabled devices (computers, smartphones, tablets), making the online shopping experience convenient for both cardholders and merchants. But growth in online and mobile payments brought concerns in other areas such as card-not-present fraud. In order to enhance online payment security Dynamic Linking came into play.
Intro to Dynamic Linking
With PSD2 came Strong Customer Authentication. And with SCA came Dynamic Linking; a key component designed to prevent social engineering attacks during the processing of a transaction. It enhances SCA and is a part of the latest 3D Secure 2 upgrade.
SCA is an additional layer of security, based on at least two elements from the following categories:
- knowledge (something the cardholder knows, e.g., PIN, password),
- possession (something the cardholder owns, e.g., smartphone, token),
- and inherence (something the cardholder is, e.g., fingerprint, facial recognition, voice pattern).
Dynamic Linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent social engineering attacks such as ''man-in-the-middle'' attack. The fraudster attempts to interrupt the connection established between the payer and the payee and hijacks the authentication code to authorize fraudulent transactions. If Dynamic Linking is applied, a ''man-in-the-middle'' attack won't be successful. This is because the authentication code will automatically fail if either one of the transaction details, transaction amount, or the payee, has been altered.
Dynamic Linking Requirements
Article 5 of the Regulatory Technical Standards (RTS) specifies the requirements for Dynamic Linking. Four main requirements are vital when discussing Dynamic Linking, and those are the following:
- The payer has to be aware of the transaction amount and the payee, a requirement conforming to the What You See Is What You Sign (WYSIWYS) principle.
- Generated authentication code has to be specific to the payment transaction amount that the payee agreed to with the payer at the moment of transaction initialization.
- The generated authentication code accepted by the Payment Service Provider (PSP) must match the original specific transaction amount, and the identity of the payee agreed to by the payer.
- The generated authentication code must be invalid if either one of the transaction details, transaction amount, or the payee does not match.
Implementation of SCA enhanced with Dynamic Linking impacts many participants involved in the online payment chain. To conclude, the main goals of these heightened security measures affecting the payment chain are available in the summary:
- Reducing the possibility of online fraud.
- Reducing the cost of processing fraudulent transactions.
- Increasing cardholder confidence in online payment services.
To find out more about new features and improvements, contact our regional expert or download the datasheet.