This is a good summary of how to do strong customer authentication by the ECB.
The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" - a biometric characteristic such as a fingerprint.
The challenges for commerce businesses however remain the same, security and authentication gets in the way of genuine customers completing purchases. Ecommerce Managers monitor abandoned carts as a key performance metric, if extra authentication leads to less sales, then they will not want to introduce them.
In addition implementation of new standards is key, as every business is happy to adopt any new industry standard once they know that all competitors are adopting them also.
However, once one leading business decides not to implement the standard, then it becomes a competitive advantage not to have those extra security steps in the checkout or log in processes which leads to less adoption of new security standards without regulation.
By way of update on the ECB's strong customer authentication;
ReplyDeleteThe ECB Final publication was released on the 31/1/13 and it is found here > http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html
The Guidelines and Public Consultation Outcomes on the right hand side.
They are technology neutral, and seek to foster competition and innovation.
The European Commissions Draft Payment Services Directive 2 (PSD2) is here> : http://ec.europa.eu/internal_market/payments/docs/framework/130724_proposal-revised-psd2_en.pdf
This has gone to the European Parliament for enactment.
The liability shift provisions will over rule the card scheme rules by operation of law. The ECB also requires that the card schemes implement a liability shift regime and process when strong customer authentication is used.
See Proposed PSD2 Art.65 & Art.66 re liability shift.
Of note, is that payment gateways and Acquirers will be liable for fraud on their networks if they don’t implement strong customer authentication.
Proposed PSD2 Art. 85 to 87 calls for the mandatory implementation of the ECB's Guidelines across all remote payments, including eWallets, eMandates and credit card not present payments. The ECB definition of a PSP now includes Payment Gateways and Payment Integrators, for the purpose of determining liability (see ECB 'Scope').
Strong Customer Authentication will be applicable to all transactions acquired in the SEPA, across all 28 ECB recognised card schemes, from 01/02/2015.
The best known variant of strong customer authentication os 3D Secure.
Older implementations of 3D Secure, that utilise a static password, do not comply with the ECB requirement that "At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet"
This will require upgrades to 3D Secure systems, on a card scheme by card scheme basis.
Some competition to 3D Secure has emerged by way of an alternative process >
http://www.thepaypers.com/news/e-identity-security-online-fraud/epca-payment-summit-isignthis-presents-its-authentication-service-as-an-alternative-to-3d-secure/750643-26
iSignthis claims to authenticate transactions across all 28 ECB recognised card schemes, with only acquiring side involvement necessary.
It inherits the issuers security and customer KYC by a clever means of account access, that is not technical, but up to the cardholder to facilitate by logging in to their online banking or calling their bank.
See > http://www.isignthis.com and also http://www.merchantprotect.com.au
In the meantime, India has also mandated authentication > http://rbi.org.in/scripts/NotificationUser.aspx?Id=7874&Mode=0
......and of course China Union Pay, which doesn't use 3D Secure, is getting a larger share of the global merchant market.