With FIDO and Secure Payment Confirmation (SPC), two options are now available that can be used to make the authentication of card payments in the context of 3-D Secure even more customer-friendly. Kurt Schmid, Marketing and Innovation Director Secure Digital Payments at Netcetera, and Rolf Lindemann, Vice President Products at Nok Nok, explain how this works and what prospects it opens up.

The FIDO Alliance (Fast Identity Online) has developed an independent standard for authentication using hardware (USB token, dongle, key fob) or integrated FIDO authenticators. This allows two-factor authentication that meets the requirements of the PDS2 payment services directive.

The World Wide Web Consortium (W3C), which standardizes techniques on the Internet, has announced Secure Payment Confirmation as a new standard. It is designed to simplify and speed up authentication for payment transactions based on FIDO.

Challenges posed by strong customer authentication

There are still three main challenges with card payments in e-commerce: Consumers find 3-D Secure authentication cumbersome and inconvenient. This repeatedly leads to purchase cancellations. On the other hand, 65 percent of losses due to card misuse are in the card-not-present (CNP) area, i.e. mainly in e-commerce. There is obviously a great need for action here. In addition, the risk assessment methods currently in use are not sophisticated enough. As a result, correct card transactions are incorrectly rejected, which annoys the affected customers.

Strong customer authentication has become mandatory for card payments in e-commerce; hence, various solutions have been developed. For example, Mastercard has the Chip Authentication Program (CAP) with technical specifications for using EMV chip cards to authenticate users and transactions in online banking. These and other initiatives face the challenge of organizing broad support across the industry while maintaining a high level of security.

FIDO can solve several problems

The starting point for the development of FIDO was the inadequacy of traditional passwords. Consumers maintain an average of 70 to 80 customer accounts with a wide variety of providers. In the process, 65 percent of users regularly forget one or more passwords. In addition, there are sufficient examples of how easily these passwords can be obtained through phishing attacks or stolen from the providers' servers. One-time passwords (OTP) cannot remedy this situation because this technology works too slowly and achieves a success rate of no more than 85 percent.

The aim of FIDO is to increase the level of security and improve user-friendliness. In principle, with FIDO, users prove their authorization with an "authenticator" that can be uniquely assigned to them. The data exchange is encrypted using a public key infrastructure (PKI).

A wide variety of solutions can be used as authenticators: from an app in conjunction with Touch ID to a USB token. FIDO is now supported by all major hardware and software providers. These include Apple, Google, Microsoft and Samsung, as well as the card organizations American Express, Mastercard and Visa.

The specifications for 3-D Secure define how FIDO can be used for authentication. To this end, the FIDO Alliance has produced a document that explains how the requirements of the PSD2 Payment Services Directive for Strong Customer Authentication are met using a FIDO authenticator.

Authentication based on FIDO can be used by both issuers and online merchants. For authentication to the issuer, for example, it is sufficient for cardholders to confirm a transaction by fingerprint on their smartphone. If a merchant has securely registered its customers via FIDO, the login to the customers’ account with the merchant can be used as authentication for payment transactions (delegated authentication). For customers, this means that they are no longer shuffled back and forth between the merchant app and the bank app during checkout but can complete the payment with a single click.

Secure Payment Confirmation in development

Secure Payment Confirmation (SPC) is a Web API (Application Programming Interface) developed by the Web Payment Working Group within the World Wide Web Consortium (W3C). It is currently available as a draft. There is a first implementation as a prototype in the Google browser Chrome. In addition, the use of SPC is now standardized in the new EMV ® 3DS 2.3 protocol. Issuers, merchants and PSPs are therefore well advised to quickly analyze and support SPC.

SPC supports seamless authentication during a payment transaction. It is designed to scale authentication across different merchants. It can be used in a variety of authentication protocols and provides cryptographic proof that the user has confirmed the transaction data. The feature enables consistent, low-friction, strong authentication using platform authenticators. Customer registration is required to use SPC. This can be done by the issuer, for example, directly following a successful authentication with a special pop-up window. FIDO is again used for the registration.

Initial experiments by a PSP show that SPC can significantly increase conversion and significantly reduce transaction time.

Note:
EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.