Customer Authentication is Changing

The way businesses authenticate their customers when goods and services are purchased is changing. Older authentication and verification methods no longer offer sufficient levels of security protection and are being targeted by criminals. Signature verification was the original method used for payment card transactions and although many countries shifted to PINs years ago signatures have remained in use in the USA - the largest global cards market. In April 2018 the US market will no longer require signature checking, recognising that this provides limited security protection today and simply delays the checkout process. To coincide with these Visa and Mastercard policy changes American Express is dropping its global requirement for signature checking. Linda Kirkpatrick, Mastercard’s executive vice president, describes dropping the signature as “another step in the digital evolution of payments and payment security.” Merchants will still have the option of asking for a signature, but the requirement will be history as of April.

At the same time static passwords are also coming to the end of their useful life. Passwords are used both for initiating bank payments and in the first generation of 3D Secure to authenticate cardholders when making a purchase online. Today’s computing power allows fraudsters to quickly crack many static passwords due to the weak selections made by individuals. Incredibly the terms “password” and “admin” remain very popular choices and frequently default passwords are not changed despite attempts at consumer education.

Biometrics such as fingerprint, finger vein, iris, voice and facial recognition offer great potential. We have seen many pilots globally in 2017 trialling the various technologies and these report positive results. Recent improvements in biometric recognition technologies have now reduced the number of false declines to an acceptable level. High smartphone adoption has made fingerprint recognition an everyday occurrence for many. Apple’s decision to shift to facial recognition with its latest iPhone X will likely have the same impact.

Thanks to the additional level of authentication and verification that smartphones offer, such as biometrics, the contactless card limits (£30 in the UK) can be exceeded with NFC mobile payments (Apple Pay, Google Pay, SamsungPay) allowing high value contactless transactions to be accepted in-store.

Multi-factor authentication is widely seen to be the way forward. This uses a combination of something you own (card, token, phone), something you know (passcode, PIN, password) and something you are (fingerprint, iris, face). It is this layering of data that ensures a higher level of security protection is delivered.

3D Secure 2.0 has been developed, by the international card schemes under the EMVCo structure, as a key element of improving customer authentication. This uses biometrics and addresses previous concerns related to the first generation system. Liability protection will remain but critically basket abandonment rates are expected to be reduced with the introduction of this latest payments security technology. 3D Secure 2.0 will support the transmission of rich data during transactions, making risk-based decisions possible on whether to authenticate or not. The consumer experience will also be simplified and enhanced, through the elimination of the initial enrolment process and removing the need for cardholders to remember static passwords. Non-payment authentication and native mobile support are also included in this version of the protocol. Mastercard call their implementation “Mastercard Identity Check”. EMVCo will be offering product certification from Q2 2018. 3D Secure 1.0 will be phased out from Q2 2018 to Q4 2019 varying by geographical region and card scheme.

As part of the European PSD2 legislation, the Regulatory Technical Standards (RTS) introduces the need for Strong Customer Authentication (SCA) to be supported in Europe by 14th September 2019. This is a mandatory legal requirement that all European businesses must support. SCA applies to both card payments and bank payments and uses the concept of multi factor authentication. Some exemptions are available and it recognises that Chip & PIN is a compliant multi factor authentication method. SCA has a bigger impact on eCommerce transactions than face-to-face transactions but there are still implications for customer present transactions. A risk based approach needs to be supported together with enhanced transaction monitoring.

Here at STS we recognise the need for stronger security protection for payment transactions. This includes the use of biometrics and multi factor authentication. Our products have been architected to support a variety of technologies and simplify the introduction of new authentication methods. PayOp our next generation terminal management system has a role to play in delivering effective transaction monitoring. We will be pleased to help our business partners and customers understand these latest market requirements and plan for the introduction of enhanced capabilities.

Friday, March 16, 2018