back to insights


February 4, 2021

Understanding Dynamic Linking within PSD2

Nowadays, online transactions can be conducted using multiple internet-enabled devices (computers, smartphones, tablets), making the online shopping experience convenient for both cardholders and merchants. But growth in online and mobile payments brought concerns in other areas such as card-not-present fraud. In order to enhance online payment security Dynamic Linking came into play.

Dynamic Linking - 3D Secure by Asseco SEE

Intro to Dynamic Linking

With PSD2 came Strong Customer Authentication, and with SCA came Dynamic Linking, a key component designed to prevent social engineering attacks during the processing of a transaction. It enhances SCA and is covered by the latest 3D Secure 2 upgrade.

SCA is an additional layer of security, based on at least two elements from the following categories: knowledge (something the cardholder knows, e.g., PIN, password), possession (something the cardholder owns, e.g., smartphone, token), and inherence (something the cardholder is, e.g., fingerprint, facial recognition, voice pattern).

Dynamic Linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent social engineering attacks such as ''man-in-the-middle'' attack, where the fraudster attempts to interrupt the connection established between the payer and the payee and hijacks the authentication code in order to authorize fraudulent transactions. If Dynamic Linking is applied, a ''man-in-the-middle'' attack won't be successful because the authentication code will automatically fail if either one of the transaction details, transaction amount, or the payee, has been altered.

Dynamic Linking Requirements

Article 5 of the Regulatory Technical Standards (RTS) specifies the requirements for Dynamic Linking. Four main requirements need to be taken into account when discussing Dynamic Linking, and those are the following:

  • The payer has to be aware of the transaction amount and the payee, a requirement conforming to the What You See Is What You Sign (WYSIWYS) principle.
  • Generated authentication code has to be specific to the payment transaction amount that the payee agreed to with the payer at the moment of transaction initialization.
  • The generated authentication code accepted by the Payment Service Provider (PSP) must match the original specific transaction amount, and the identity of the payee agreed to by the payer.
  • The authentication code generated must be invalidated if either one of the transaction details, transaction amount, or the payee has been altered.


Implementation of SCA enhanced with Dynamic Linking impacts many participants involved in the online payment chain. To conclude, the main goals of these heightened security measures affecting the payment chain can be summarized as follows:

  • Reducing the possibility of online fraud.
  • Reducing the cost of processing fraudulent transactions.
  • Increasing cardholder confidence in online payment services.

To find out more about new features and improvements, contact our regional expert on [email protected] or download the datasheet.

download datasheet
Request Trial

Interested in TriDES2?

Subscribe to our newsletter
© Asseco South Eastern Europe 2021. All rights reserved
clouddownload linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram