DAF and TAF: What changes merchants and issuers can expect with online payments

Payments Banking Security
The rapid growth in global e-commerce and the parallel increase in card-not-present (CNP) fraud is pushing payment networks to improve the security of payment authentication, and the user experience.

To deliver transactions that reduce unwanted friction, Visa and Mastercard are introducing the Digital Authentication Framework (DAF) and Token Authentication Framework (TAF) programs to shift the burden of authentication from issuers to merchants — who have the most to gain from a reduction in false declines.

What is DAF and TAF?

DAF and TAF originated to reduce the pressure on issuers caused by numerous issuer-driven features or responsibilities. And that’s what DAF and TAF seek to remedy — switching new features and requirements from being issuer-driven to merchant-driven.
According to Visa, DAF “provides a set of authentication and fraud performance requirements to ensure that the payment ecosystem, including merchants, token requestors (TRs) and issuers, takes steps to improve the security and performance of CNP transactions.” Basically, that means DAF enables faster and more streamlined checkouts. Users will have the benefit of secure ‘one-click’ checkouts since authentication isn’t based on risk and is tied to the user’s credit card.
On the other hand, Mastercard explains that TAF will “help increase the security and performance of remote commerce transactions by enabling a combination of tokenization of payment credentials stored on file with a merchant or digital wallet, and authentication of cardholders in the acquiring domain.” In essence, TAF will enable faster, safer payment experiences through a method of data security similar to encryption, called tokenization.
In essence, DAF and TAF have the same goals, which include:
  • Improving transaction approval rates.
  • Reducing the friction in CNP transactions, and making that the accepted norm in the industry.
  • Forging a better user experience for banking customers, since their transactions will no longer be challenged.
However, they go about reaching these goals rather differently.

The core differences between DAF and TAF

While both programs represent a big push to reduce payment friction, DAF seems to employ a more rigid approach. For instance, with DAF, issuers get one chance to authenticate their user or cardholder. If that authorization is successful, the next time that cardholder transacts, the authorization process will follow DAF procedures.
Visa explains that issuers “are not allowed to request a step-up or challenge on subsequent authentication requests from the same merchant, customer, and payment account that meet the DAF requirements”. What’s more, under DAF, Visa states that “issuers are liable for fraud on authenticated transactions that meet DAF requirements.”
It’s important to note that DAF will be mandated for all issuers and merchants in South Africa from April 2023.
While TAF has some commonalities with DAF, Mastercard takes a very different stance regarding fraud liability stating that “merchants authenticating remote commerce token transactions with an approved multi-factor authentication (MFA) method will be liable for those transactions”. So, with TAF, merchants are liable if there’s any fraud. But, a benefit for merchants is that in certain markets, which Mastercard will still announce, they may be eligible for fraud liability protection.
Mastercard also explains that the issuer's role in TAF includes “access to the MFA method implemented by the merchants, PSPs or digital wallets”. This provides banks and credit unions with more context into their customers’ transactions and helps them keep payment transactions safe.

The role of merchants, banks, and consumers in DAF and TAF

Let’s start with merchants. Once the merchant has enrolled into DAF or TAF, a token is generated for each user or cardholder, and that token links that user to the merchant. Once that token is initiated, the merchant has the mandate to perform transactions with reduced friction for that user, using the DAF or TAF program. At that point, the issuer’s Access Control Server (ACS) is no longer allowed to actively authenticate that user.
For banks and credit unions, they will be able to receive token transactions, where their cardholders have been authenticated by the merchant, and provide optimized approval rates for the fully authenticated transactions.

On the consumer side, their experience will also be enhanced. The cardholder goes to their favorite merchant site, selects their goods, and proceeds to checkout. They will then have the option to choose a faster, one-click checkout. If they select this option, their checkouts will comprise a secure, one-click checkout experience the next time they shop at that merchant. In addition, they won’t be authenticated, creating a better customer journey.

Impact on global finance markets

The impact of DAF and TAF will also differ across global markets. In the US, with 72% of fraud in 2022 being CNP-related, there’s a clear need to improve payment security. Most ACS solutions do not deliver the level of security sophistication that’s needed. And while the US is typically a frictionless-first market, in Europe, they are ready to shift from step-up authentication solutions to a market where authentication removes only unwanted friction. For these leading markets, the introduction of DAF and TAF will usher in a new age of improved payment security while reducing unwanted friction in user authentication journeys.
In the US, with 72% of fraud in 2022 being CNP-related, there’s a clear need to improve payment security.
In South Africa, many issuers are reluctant to activate DAF or TAF, since the market traditionally uses step-up authentication. With the limited implementation of solutions that reduce friction, many issuers are concerned that the market is not mature enough for DAF and TAF — and that it’s presently a lower priority for SA’s financial service providers. Nonetheless, issuers in South Africa need to be ready for these changes as Visa’s DAF will be mandated for all SA issuers and merchants from April 2023.

Entersekt’s 3D Secure ACS provides real-time insights to issuers

At Entersekt, our 3D Secure ACS is 100% up-to-date and compliant to support safer e-commerce transactions that reduce unnecessary friction. We deliver a more secure and streamlined experience, and drive customer insights for issuers. Here’s how:
  • When merchants are performing DAF or TAF transactions, Entersekt provides insights in real-time to issuers. This helps them gain an understanding of what transactions their customers are performing. In other words, context on each transaction.
  • With our data-open approach, we can also feed the data back into the ecosystem, such as sharing a higher risk score on a particular transaction with the bank, who may view a different score due to automatic DAF or TAF authentication.
  • Our real-time application programming interfaces (APIs) integrate with the issuers’ systems, and will alert us if a card is stolen, enabling us to decline the transaction in its tracks.
“Entersekt’s Context Aware™ ACS processes hundreds of real-time data points — together with a contextual understanding of what a shopper is trying to achieve — within split seconds to actively authenticate only when necessary. This ensures they are left to shop without unwanted friction. Initiatives like DAF and TAF support this goal of making the checkout process as seamless as possible." Elizabeth Graham, Product Manager at Entersekt.
When the time comes to step up, Entersekt’s Context Aware™ ACS also positions customer experience at the center of the step-up process by reducing unnecessary friction. The result is a seamless and intuitive experience for shoppers.
If you’ve got any questions about DAF or TAF or want to learn more about our solutions to support your efforts, get in touch with one of our experts.