Shopping is such an integral part of daily life that consumers rarely think about the payment process behind it. However, shortening the process for the sake of convenience – to a point where authentication is set aside – has given rise to serious security issues.
Bricks and mortar stores still limit the possibilities for fraud. Regardless of the payment method, the cashier can see who hands over money or enters their personal identification number (PIN) code. Yet conducting payments online means encountering different kinds of verification problems. How can the individual or business bought from be truly assured of the buyer’s identity?
The latest pan-European figures from the European Banking Authority (EBA) reveal that fraud on online card payments alone caused losses totalling €794m in 2012, a 21.2% increase from 2011, and this figure will have subsequently increased further. As a result, authentication is on the agenda of European regulators who want to enhance the security of electronic payments.
The EBA recently issued new guidelines requiring all payment service providers (PSPs) to carry out strong customer authentication (multi-factor authentication) before accepting online transactions.
New era, new regulations
Decades ago there was little need for authentication; even in the 1950s non-cash transactions were still a rarity. However, as travellers became more mobile and reluctant to carry cash, facilitators such as Visa (first established 1958) and MasterCard (1966) were launched. Credit cards quickly became big business, as did credit card fraud.
Stolen and counterfeit credit cards emerged. To solve this, chip and PIN technology – first issued in the UK in 2003 – was developed and soon revolutionised card payments. By requiring users to enter a four-digit PIN code to authorise a payment, rather than write their signature on a receipt, the use of stolen cards became more difficult and the payments environment improved.
Nevertheless, as merchants and customers moved online chip and PIN could no longer protect them in the cyberspace and the need for reliable authentication methods increased.
Merchants can now process millions of transactions daily from consumers around the world, but face the constant challenge of ensuring that customers are who they say they are. New methods are increasingly needed to verify identities. One of these – two-factor authentication (2FA) – was introduced as early as 1984; its key was to identify individuals by using something they have (a card and/or device) and something they know (password).
However, as the number of transactions carried out electronically continues to grow, fraudsters and cybercriminals have a bigger pool of potential victims whose money they aim to get their hands on.
In addition, new payments methods and further technological developments such as electronic wallets – with ApplePay a prime example – and contactless payments increase the need for stronger authentication methods. The unique selling points of newer payment methods are simplicity and ease of use. They allow consumers to make payments instantly by simply tapping their cards. This leaves no time for authentication to occur as it would increase the time and complexity of the transaction, thus removing the actual selling points behind the product.
Today, customers want the ability to choose something and take it with them immediately, or have it delivered within days – if not hours. This makes it imperative for merchants to employ an method authentication method that is not only secure but also extremely fast.
The EBA guidelines – aligned with the Second EU Payments Directive (PSD2), which regulates the payments industry – requires that all PSPs adopt “strong customer authentication” when payers access their accounts, initiate transactions or “carry out any action, through a remote channel, which may imply a risk of payment fraud or other abuses.”
PSD2 defines strong customer authentication as a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence:
• Something only the user knows (such as a password, code or personal identification number).
• Something only the user possesses (a token, smart card or mobile phone).
• Something the user is (a biometric characteristic, such as a fingerprint).
These methods also need to be mutually independent, so that the breach of one does not compromise the other(s). At least one element should be non-reusable (except inherence), non-replicable and not capable of being surreptitiously stolen via the internet.
Be yourself to save yourself
Considering the risks that accompany online payments, both merchants and customers should be keen to implement strict security measures. There are many secure solutions and authentication methods available, which can reduce instances of card fraud, but also a lack of widespread adoption and standardisation. The key seems to be striking a balance between security and convenience.
But which security methods are the most efficient? What kind of information do consumers or businesses need to verify their identity?
Knowledge would seem to be a good place to start. Many payment systems verify user identity by asking a set of security questions that only the user can answer. The obvious downside is that it takes considerable time and entering personal information into a phone each time a purchase is made is hardly user-friendly.
This is why biometrics is becoming increasingly popular and most computers and smartphones today are already equipped with fingerprint scanners. The difficulty with biometrics is that they cannot be replaced or changed; you have one fingerprint for life. If hackers obtain access to your biometrics, then that authentication method is no longer secure and cannot be used. With high-profile data breaches, such as that launched last June at the Office of Personnel Management (OPM) in the US, this is a major concern for biometric authentication – and one of the main arguments why authentication should rely on more than one element.
However, companies are fighting against this with innovative biometric solutions; one example being MasterCard’s new check, which requires customers to take a ‘selfie’ of themselves to prove their identity. To verify that it’s a legitimate selfie – instead of a previously-taken photo – the programme requires users to blink when they take their own photo.
Mobile phones have also started to play a key role in authentication. They add an extra layer of security (something you have), with little compromise in relation to usability and convenience.
As a cloud-based payment solution The Online Payment Exchange (ONPEX) and similar providers take security of customers and merchants alike very seriously. This is why the industry appreciates innovation in online payments security and supports 2FA, in order to provide the utmost security to customers.
Other articles by Christoph Tutsch