TrustBuilder CEO Marc Vanmaele explores how financial organisations can keep ecommerce slick while increasing authentication security
What was the first thing you bought online?
The chances are, you have made so many purchases on the internet since that it’s now impossible to recall. Ecommerce has grown in step with access to high speed internet and smart mobile devices.
According to the Ecommerce Foundation, business-to-consumer ecommerce throughout Europe experienced an estimated year-on-year growth of almost 14 percent in 2017.
The previous year, online shoppers in the UK alone spent over £130bn online.
While ecommerce is becoming the dominant method of purchasing goods, retailers want to do all they can to make shopping experiences as simple as possible. When customers pay for goods online, the payment process can present ‘friction’ when the customer is asked to register their details, remember their password or take steps to authenticate themselves. As a result, according to research by American Express, 78% of online shoppers have bailed on a transaction if the checkout process is poor.
Retailers like Amazon have sought to reduce checkout friction by introducing slick services like one-click ordering and voice shopping. Pizza provider Dominos has even gone one step further by introducing Zero-Click ordering. Increasingly, however, customers demand security in addition to frictionless payment – 19% of shoppers say they will abandon their purchase if they don’t trust the site with their payment details. Their concerns are justified. As more transactions move online, cyber criminals follow. In 2017, card-not-present fraud grew by €30 million across the EMEA region.
To combat this risk, regulators and advisory bodies are introducing measures to clamp down on crime. In January 2018, the new EU Payments Services Directive (PSD2) introduced new laws aimed at improving consumer rights across the continent. To give financial organisations time to adjust to some of the more disruptive regulations under the directive, some of its stipulations will be enforced later – from 2019 onwards.
One of these requirements is to introduce strong customer authentication for a number of online transactions, and the European Banking Authority backs up the regulation with advice and guidelines on how these requirements should be met.
How is the industry responding?
When requirements for strong customer authentication under PSD2 begin to be enforced, banks will start asking their customers to take extra steps prove their identity using additional authentication factors. They may choose to ask for biometric information such as a fingerprint, or a one-time passcode sent to the customer’s mobile device.
Of course, the world’s most popular payment networks, Visa and Mastercard, had had their minds on card fraud prevention far before PSD2. Visa introduced the 3D Secure protocol in 2001, which was adopted by issuers as ‘Verified by Visa’, ‘MasterCard Secure Code’, and by American Express as ‘SafeKey’.
However, some believe the protocol had limitations. According to The Guardian, some shoppers were confused and alarmed when they started seeing 3-D Secure popups. There were security concerns too. Trend Micro’s Vice President of Security Researched discussed its restrictions in a blog post back in 2011.
Visa has since made improvements to enhance the simplicity and security offered by the 3-D Secure platform including new capabilities to make payment verification more seamless on mobile devices. Still, it seems the company believes that the banks issuing Visa cards could go further to satisfy the impending need to offer strong customer authentication.
According to consumer group Which? Visa has set out guidelines for issuing banks, recommending that they prepare to comply with the requirement for strong customer authentication by September 2019. Visa will let issuers decide how they prepare, but recommends sending one-time-passwords to shoppers via SMS as an extra layer of security.
However, this method is not infallible. Which? added that one-time passcodes can be intercepted in spoof text scams, where fraudsters pose as banks to trick victims into handing over genuine passcodes. Mastercard shares this view and recommends that its issuers include fingerprint readers on their cards.
But fingerprints may not be ideal either. In 2015, a US government database containing 5.6million individuals’ fingerprints was hacked. The database for India’s Aadhaar ID card system contains fingerprint data for more than 1.1 billion registered Indian citizens, and has been subject to numerous leaks. If a hacker obtains your password it can be changed. If they obtain your fingerprint scan, it could be used to impersonate you indefinitely.
Organisations are clearly acknowledging that passwords are not enough to secure sensitive payment information alone, but it seems that two factors may not be enough either. Ultimately, both of these methods will also add some friction to the customer journey. So how can the financial industry meet the demand for increased security while keeping shopping experiences slick?
Balancing flexibility, choice and security
There are many different forms of multi-factor authentication for banks and payment processers to choose from. Although each of these can add complexity to the checkout process, consumers are becoming familiar with various methods. Online services such as Google, Facebook, Twitter and Dropbox and others enable users to apply an extra layer of security to their accounts.
To enable secure access, organisations may choose to check more than one additional piece of information before allowing a transaction to take place. The right balance between security and simplicity can be found by identifying users dynamically, considering not just who they are, but also the context in which the transaction or session is taking place.
This approach has the potential to add friction, however. That’s why some banks are employing Identity and Access Management (IAM) solutions to understand as much user context as necessary. The best solutions enable banks to authenticate users dynamically, considering factors such as the user’s age, location, and whether the device they are using is recognised.
When introducing an IAM solution, organisations should look for those that enable flexibility. They may wish to enable users to choose their preferred MFA method, or adapt to new technology when new possibilities emerge. This flexibility can be found in an IAM solution that allows organisations to change their authentication policies without changing the surrounding architecture.
Flexible IAM solutions will help financial organisations to navigate the changing authentication landscape. In turn, this will help them provide online shopping experiences that are simple, secure and flexible, however complex the landscape becomes.