Better authentication will secure our digital future

Despite the attractions of digital commerce for consumers, online shopping is not without risk. While current industry efforts to combat fraud have been successful and fraud rates remain low, more value is being lost to fraud as business increasingly turns digital. In 2021, Juniper Research published a study showing that value lost to fraud world-wide had risen by 14% to more than $20 billion in the previous twelve months. Although this is a huge figure, the rate of increase is actually slightly lower than growth seen in digital commerce over the same period, demonstrating that current defences work reasonably well.

That said, the real damage caused by fraud lies more in the risk of declining consumer confidence – and the cost of fighting fraud for issuers, merchants and card networks. Today’s businesses are locked in a battle of wits with the criminal fraternity as they constantly try to anticipate, identify and interdict new fraud types. LexisNexis estimate that every dollar lost to fraud costs businesses $3.75 in administration, customer compensation and other charges, while growing numbers of customers are abandoning digital transactions at checkout if they face long and complex demands for information or escalated authentication procedures.

At present, consumers are protected by a range of anti-fraud regulations around the world. In Europe, the second payment services directive (PSD2) has been adopted by the EU, EEA and UK. This set of regulations adopts a visionary approach to securing e-commerce, including the concept of Strong Customer Authentication (SCA). Under SCA, transactions under €30 are exempted as low value payments, or LVP. Transactions over €30 that do not benefit from other exemptions must be authenticated by at least two factors linked to possession (such as a card number), knowledge (passwords) or inherence (something the user is or does, such as a biometric factor). Transactions which can be reliably assessed as low-risk under what’s known as the Transaction Risk Analysis (TRA) exemption may also be excluded from SCA’s escalated authentication provision.

The problem is that, where exemptions do not apply, SCA can cause additional consumer friction as consumers may be asked to input one-time passcodes (OTPs) or other security information during the transaction process. New techniques are emerging to reduce this friction, from biometric security factors through to smarter approaches to applying exemptions by improving dialogue and data-sharing between issuers and merchants. Thanks to better data flows enabled by EMV’s 3D Secure (3DS) security protocol, it’s possible for issuers to delegate cardholder authentication to merchants, speeding up authentication and cutting the number of escalations required under the SCA protocol.

At Netcetera, we are established experts in providing authentication solutions linked to EMV 3DS that make authentication faster, easier and more effective. Our product portfolio covers all three domains in the payments ecosystem: issuers, networks and the acquiring domain. In addition, our status as an EMVCo associate enables us to anticipate regulatory and market challenges ahead of the market, while actively contributing to improvements in the 3DS standard. At present, we’re working with clients on a range of 3DS-based solutions while continuing to innovate new products with our partners.

For instance, our 3DS Issuing Service[SS3]  leverages our deep expertise with PSD2 SCA implementations to speed up transactions by authenticating cardholders with a single click once they have enrolled. 3DS Issuing allows for the implementation of multiple authentication methods such as One Time Passcodes (OTP) and OOB (biometrics), as well as the FIDO solution with Entersekt discussed below. Every participant in the transaction process – whether they are a merchant, issuer or acquirer – needs to determine the right balance between escalated authentications required by SCA and when to apply exemptions that help to reduce consumer friction. Our services are designed to optimise exemption strategies using Risk-Based Authentication (RBA), which analyses available cardholder data to trigger the Transaction Risk Analysis exemption from escalated authentication mentioned earlier.

When it comes to innovation, our recent work with Entersekt on the world’s first browser-enabled authentication solution using FIDO2 Security Keys likewise delivers maximum security while minimising cardholder friction and escalated authentications – and is a great example of how the industry cannot afford to stand still, either in terms of delivering better experiences for customers or in fighting fraud.

The digitisation of the world’s economy is creating opportunities for people everywhere, enabling them to access services and products from any country at any time over any kind of device. As the digital era unfolds, Netcetera will continue to innovate in partnership with forward-looking banks, merchants and technology companies to offer customers maximum convenience, speed and security wherever, however and whenever they shop online.

Note:

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.