The Brain Behind Secure Payments - Verestro's ACS: Podcast Episode 25
- Verestro
- Jun 12
- 12 min read
In this episode, we're unveiling the power of Verestro's Access Control Server (ACS) in the 3-D Secure Ecosystem. Discover how this EMVCo-certified technology is revolutionizing online payments by reducing card-not-present (CNP) fraud and providing an essential layer of authentication for credit and debit card transactions. We'll explore how Verestro ACS enhances the customer experience with fast, intuitive, and secure checkout processes, including frictionless and low-friction authentication flows, and more. Tune in!
Today, we are plunging into a topic that affects, well, pretty much all of us, every time we click buy online, payment security. - That's right. - We're specifically zoning in on a card not present fraud, when your card details get used online or over the phone without the actual card being there, it's a persistent challenge.
- Definitely, and the industry is constantly evolving in strategy to fight it. We've got some sources today that really focus on a key piece of that puzzle. - Right, they center around a specific solution, Verestro's new EMVco-certified Access Control Server or ACS for short. - Exactly, that's the core technology we're looking at.
- So our mission today is to unpack what an ACS actually is, figure out its critical role in the whole online payment ecosystem, and explore why this Verestro's solution is getting attention as a potentially significant step in fighting fraud, while also, hopefully, making things smoother for you when you shop online. - Yeah, because online fraud is, let's face it, a massive headache and cost for everyone involved, and the industry's main weapon against it has been this thing called 3D Secure. - Right, 3D Secure. - Absolutely, the sources point to it, especially the modern version EMV 3D Secure or 3DS 2.x, as the essential layer for authenticating you, the card holder, to tackle that CMP fraud problem.
- Okay, so 3D Secure is meant to be that check, is it really you using your card online? - That's the idea. - Let's start with the basics then. 3D Secure, the name sounds like three dimensions, what are these 3DS? How does it all work together? - Good question. Yeah, the 3D basically refers to the three key domains or parties involved in securing that online transaction.
- Okay. - So first you've got the acquirer domain. - Yeah. - Just think of this as the merchant side of things.
- The website I'm buying from? - Exactly, the online store and crucially, their bank, the acquiring bank, which processes the payment for the merchant. - Right, where the money collection starts. - Precisely. Then domain number two is the issuer domain.
Now this is your side. It's your bank, the bank that actually issued you your credit or debit card. - Got it. - They're the ones who ultimately approve or decline the payment and importantly, they're responsible for making sure it's actually you, authenticating the card holder.
- Okay, so merchants bank, my bank, what's 3D? - The 3D is the interoperability domain. This is kind of the glue holding it all together. It's the infrastructure, the network, the rules, the messaging protocols. - The plumbing.
- Yeah, kind of like high-tech plumbing. It lets the acquirer domain, the merchant side, talk securely and like instantly with the issuer domain, your bank side, during the transaction. - Okay, so a merchant's bank, my bank, and the secure connection between them makes sense. Now where does this access control server of the ACS fit into all this? - Okay, so the ACS sits right at the heart of the issuer domain, your bank's domain.
The sources we looked at consistently describe it as the brain of the whole cardholder authentication process. It's the system your bank uses to look at the transaction you're trying to make online. Assess the risk level in real time and then decide to do this: looks safe enough to approve straight away or do we need to challenge the user for extra proof? - Okay, so that's what's happening when I'm online. I click pay and suddenly I get that little box asking for a code for my phone or maybe it asks for my fingerprint on my banking app.
- Exactly, that's your bank's ACS working behind the scenes. It analyzed the transaction data flowing through the 3D secure system, decided it needs more certainty and triggered that specific challenge, that verification step. - All happening in milliseconds, you said. - Pretty much, yeah, it hasn't been fast.
And a key point in our sources is that Verestro has achieved EMVCo approval for their specific ACS solution. - EMVQ, they're the ones behind the chip cards, right? But now they set standards for online stuff too, like 3DS, getting their stamp of approval sounds important. - Oh, absolutely, it's a huge deal. It basically means the solution meets the global standards for security, for compliance, and crucially for interoperability, it can talk correctly to all the other parts of the payment system worldwide.
- Okay, so the ACS is the issuer's brain for checking if it's real you. But why the focus on Verestro's ACS? Why would a bank, an issuer, choose to use a pre-built solution like this instead of, say, building their own from scratch? - Right, and that's where the sources really lay out the business case. Building an ACS yourself in-house, it's described as, well, a massive undertaking. - A massive.
- The materials mentioned, it can easily take over a year, think 12, maybe 18 months, sometimes even more. - Wow. - And the cost is upwards of 100,000 euro. And that's likely just the initial build in getting it certified.
And they've got ongoing maintenance, keeping it updated with new rules. - Yeah. - It adds up. - A year plus and over 100 grand, just for this one component.
Okay, yeah, that definitely puts the challenge into perspective for a bank. - It's a huge drain on resources, time, and specialized expertise. So, ready to go for a fully certified solution like the Verestro's ACS? Well, it basically aims to shortcut all of that. - Makes sense.
- The benefits highlighted are pretty clear, much faster deployment, obviously, because it's already built and gone through the certification hoops. - Right. - Significantly lower costs compared to building it yourself. And you get guaranteed compliance with the latest 3D secure standards right away, which trust me is a constantly moving target.
- So it's like, instead of designing and building your own car engine and getting it approved, you buy a top of the line certified engine off the shelf and plug it in. - That's a pretty good analogy, yeah. And what does this engine need to do? What are its core jobs according to the sources? - Good question. - They list three main functions.
First, it has to check if a specific car number is actually eligible for 3D secure authentication in the first place. Not all cars are automatically enrolled. - Okay. - Second, it checks the device you're using your browser, your mobile app to see if it supports the necessary 3D as protocols.
- That's right. - Device compatibility. - And third, the most crucial part. It actually performs the authentication of you, the card holder, or at least confirms your account validity during that transaction flow.
That's the core security check. - Right, proving it's really you. Okay. For the banks, the issuers, the appeal seems clear.
Faster, cheaper, compliant, makes sense. But what about the rest of us, the people actually shopping? What benefits does using a system like this for Verestro ACS bring to the customer experience? And maybe to the online stores too. - Yeah, that's really where it counts, isn't it? And the sources do detail several key benefits that should ideally trickle down to you. The big one for the customer is an enhanced customer experience.
- Okay. How so? - To make the checkout not just secure, but also faster and more intuitive. By reducing unnecessary friction, it helps avoid those annoying delays or extra steps that make people just give up and abandon their card. - Yeah, nothing worse than getting stuck right at the finish line when you wanna buy something.
- Exactly. And for the business, that translates directly into optimized authentication performance. A smoother, faster, more reliable process means fewer technical glitches, fewer failed payments. - More completed sales.
- Right. The system is also designed for device agnostic compatibility. So it should work just as well, whether you're on your laptop browser, your phone's browser, or inside a retailer's specific app. - So same secure process, no matter how I shop online, that's important these days.
- Very important. And a huge focus for modern 3DS and mentioned for this ACS is enabling frictionless and low friction authentication. - Frictionless sounds good. What does that mean? - It means using smart, risk-based analysis behind the scenes.
If the transaction looks low-risk based on a whole bunch of data points, the ACS authenticates it instantly without you needing to do anything. - Ah, so I don't even see a security check. - Correct. That's the frictionless flow, it just goes through.
But if the ACS flags it as potentially higher risk, it then triggers a challenge, but aims for low-friction methods. Think using biometrics like your fingerprint or face ID, or maybe a quick tap in your banking app. Generally much less hassle than typing in passwords or waiting for SMS codes. - Okay, so frictionless is invisible security.
Low friction is a quick, easy check when needed. - That's the idea. And this smarter approach leads to a massive benefit for the businesses, higher approval rates with lower fraud. - How does that work? - Well, by accurately spotting the good guys, the legitimate customers, and letting their transaction sail through, more valid sales get approved.
- Okay. - And at the same time, by effectively applying those 3DS checks when risk is detected, it dramatically cuts down on fraud losses for those specific transactions. So better authorization rates, less fraud, win-win for the merchant. - Yeah, more sales, fewer chargebacks.
That's huge for any online business. - Definitely. And finally, maybe less visible to the end user, but critical for the banks is regulatory compliance made easy. - The rules and regulations.
- Exactly, things like PSD2, strong customer authentication, SCA in Europe, or global standards, like PCI DSS for data security. Staying compliant is complex. A pre-certified ACS, like for restros, built to the latest standards they mentioned, EMV3DS versions 2.3.1 and 2.2.0, means banks can adopt it and tick those compliance boxes without massive internal development effort. - Saves them a lot of regulatory headaches.
- And as we mentioned before, it all contributes to a faster time to market for the banks wanting to implement a robust 3DS. They avoid those long, costly build and certification cycles. - Right, get it up and running quicker. Okay, those are the big picture benefits.
What about the specific features? What's under the hood of restres ACS, according to the sources that makes all this possible? - Well, the absolute foundation is that EMV co-certified status. That's table stakes, really. - Non-negotiable. - Right, then it's offered as a sauce model software as a service.
This means it's cloud-based. The bank doesn't need to run the servers or manage the infrastructure themselves. They connect to it online. That gives them scalability, reliability and takes me in its off their plate.
- Okay, so it's managed for them. - Pretty much. Integration is key too, so they mentioned simple API integration. APIs are like the standard ways for different software systems to talk to each other.
Good APIs make it much faster and easier for the bank to connect their systems to the ACS. - Like universal plugs makes integration faster. - Exactly. And then for the bank actually using the ACS day to day, there's a powerful admin panel.
This gives them control and visibility. They can review detailed logs of what happened in each authentication. - See the history. - Yeah, they can manage the look and feel of those challenge screens the customer sees using a UI builder.
They set up specific rules for risk assessment using something called a rule engine and they get a dashboard to monitor overall performance, trends, fraud patterns, that kind of stuff. - So they can tweak things and see how it's working? - Precisely. Customization and monitoring are important. And this control helps manage the different authentication flows, which really define what you experience as a customer.
- Right, the different paths a transaction can take. - The source highlights a few key ones. We talked about the frictionless flow, low risk, no customer action needed, totally seamless. That's the ideal.
- Invisible check. - Then there's the challenge flow. This is when the risk is higher. And the ACS explicitly asks you to verify yourself.
OTP, biometrics, whatever method the bank has configured. - The pop-up or redirect we sometimes see? - Correct. Then there's one called 3RI, three-requester initiated. This one's interesting.
It's started by the merchant or their payment provider without you actively doing something at that exact moment. - Huh, how does that work? - Think about things like your monthly streaming subscription or paying for a rideshare automatically from a stored card. You're not clicking pay each time. 3DS provides a secure way to authenticate these kinds of recurring or card on file payments.
- Uh, okay. - Securing those automatic payments, that's crucial for subscriptions and stuff. - Absolutely. And finally, they mentioned a newer flow, SPC secure payment confirmation.
This uses built-in browser capabilities and something called web often. - Okay. - Which basically lets you use your devices built in security like your fingerprint reader or face ID, directly on the checkout page for authentication. It aims for really strong security, but in a super quick user friendly way.
- Sources note it's gaining ground, especially in Europe. - Using my fingerprint right on the website instead of going to my bank app, that sounds pretty slick actually, blending security and ease of use. - That's the goal. It leverages the security hardware you already have.
And to make all these flows work, the ACS needs to support a range of authentication methods. The sources list things like OTP via SMS, using your banking app, that's out of band, biometric methods, and others compliant with the latest standards. - So banks can choose the methods that work best for them and their customers. - Right, and it needs to work across different device channels, whether you're in a mobile app or just using a web browser.
- App or browser covered. - And underlying all of this again, is that regulatory compliance piece we talked about, meeting the requirements of EMV 3DS, PCI DSS for data security, and PCI 3DS for this specific security of these systems. - Got it, compliance is key. - You can't operate without it.
- Okay, we've really unpacked the tech, the business side, the features. Let's bring it back home. Are you listening, maybe doing some online shopping later? Why does understanding this access control server thing actually matter? - It matters because, like we said, it's the brain making real-time decisions about your money and your identity online. It's the system deciding if and how you might get asked to prove it's you.
A modern well-tuned ACS, like the one described, is working constantly to make your legitimate purchases safer, yes, but also ideally much, much smoother. - So it's trying not to bother me unless it really has to. - Exactly, it's trying to assess the risk accurately, let the good stuff flow frictionlessly, and only step in with a quick, easy challenge when the risk signals are higher. That seamless checkout you sometimes get.
That's likely a smart ACS doing its job well in the background. - And when I do get asked for that fingerprint or code, the newer systems aim to make it less painful than older methods. - That's the direction, definitely. - Yeah.
- Features like SPC, app-based biometrics, they're all about improving that necessary security step. The sources explicitly connect Verestro's work here to that bigger goal of empowering the future of payments, making it safer, smarter, more seamless for everyone. And everyone includes you to shop. - Right, it's not just abstract tech, it's shaping our actual online checkout experience.
- And calling the ACS the brain really hits home its central role in that constant balancing act between tight security and a smooth user journey within 3D Secure. - Seeing certified solutions like this for us for ACS emerge really shows the industry push to make this vital security layer easier for banks to implement well. Which should ultimately benefit all of us navigating the online world. - That's a hope.
- Okay, so a deep dive indeed into the Access Control Server. We've unpacked its critical place in 3D secure, the strong business reasons for banks to adopt certified solutions like restrooms cost, speed, compliance, and importantly, the benefits and features aimed at making your online transactions both safer and hopefully less frustrating using things like frictionless flows and modern authentication. - It really is a quinterstone technology for e-commerce today. The brain of authentication is the source of it.
- So, as online commerce just keeps growing and evolving, that tension between rock solid security like 3DS and our desire for a completely invisible frictionless checkout, that's a constant negotiation, isn't it? - Always. - It makes you wonder how future developments building on systems like the ACS continue to shift that balance. And thinking about your own online life, what level of security do you actually prefer, something visible you interact with or something completely behind the scenes? Something to ponder next time you click confirm purchase? Or maybe don't even notice the security check happening at all? Thank you for joining us for this deep dive into the world of online payment security. My pleasure, always interesting to unpack this stuff.