EBE 2019 - The end of passwords: Two-factor-authentication and biometrics are coming 2019

E-commerce Berlin Expo
February 20, 2019
The end of passwords:  
Two-factor-authentication and biometrics coming 2019

©2018Mastercard.ProprietaryandConfidential
STATUS QUO
The challenges in the
digital payments
landscape are creating
the need for better
authentication
3
1. MASTERCARD. JANUARY THROUGH NOVEMBER 2017 DATA, ACROSS ALL CARD TYPES. 2017.
2. EUROMONITOR, FICO. 2016.
Digital commerce continues to grow — with a
greater share via mobile. With this growth and
the global migration to EMV chip in the physical
world, card-not-present (CNP) continues to be
the main area of card fraud. But consumers
expect digital payments to be as simple and
secure as in the physical world.
©2018Mastercard.ProprietaryandConfidential.
higher is the digital fraud vs. physical in
Europe – together with lower approval
rates this holds the risk of negative
impact on usage and attrition1
>10x
DIGITAL PAYMENTS HAVE HIGHER FRAUD RATES
97% vs. 85%
is the gap between physical and digital
approval rates in Europe1
DIGITAL PAYMENTS HAVE LOWER APPROVAL RATES
>75%
of total card fraud in the region is from
card-not-present (CNP) — and in most
markets is on the rise2
THE MAJORITY OF FRAUD IS CNP

4
Current authentication tools and methods do not meet the need
for simple and secure payments
PAIN POINTS
Consumers are concerned about
card fraud2, still one out of five uses
the same password for every
website7
>1/3
Consumers are impacted by  
fraud and high false decline rates
online purchases in Europe are
abandoned before completion120-25%
Merchants hesitate to adopt
new technologies and lose revenue
Issuers are confronted by
growing competition and regulation
issues
Of breaches could have been
p r e v e n t e d b y s t r o n g e r
authentication methods such as
d y n a m i c p a s s w o r d s a n d
biometrics3
62%
Europeans say they use their
replacement card less, post fraud
—with more than 1 out of 10
actually switching banks5
1/3
Of payment revenue is at risk for
European issuers within the next
five years, from digital disruptors6
upto23%
1. DIGITAS LBI. DIGITAL. CONNECTED COMMERCE SURVEY. 2017 2 AITÉ. GLOBAL SECURITY ENGAGEMENT SCORECARD. 2016 3 VERIZON. DATA PASSWORDS BREACH
INVESTIGATIONS REPORT. 2015 4 JAVELIN. FUTURE-PROOFING CARD AUTHORIZATION. 2015 5 AITE. GLOBAL CONSUMER CARD FRAUD: WHERE CARD FRAUD IS
COMING FROM. 2016 6 . MCKINSEY. A BRAVE NEW WORLD FOR GLOBAL BANKING. 2016 7 ACCENTURE. DIGITAL CONSUMER SURVEY OF 24,000 CONSUMERS IN 24
COUNTRIES. 2015
1 outof3
Transactions declined due to
suspected fraud are believed to be
legitimate4

Strong Customer
Authentication (SCA)
Merchants will need to include mandatory
strong authentication from September 2019

What is Strong Customer Authentication (SCA)?
SCOPE
• Online / remote
payments  
(incl. card on
file)
• Mobile in store
payments
• Access to
mobile banking
app
KEY PRINCIPLE
2-factor 2-factor
2-factor
Knowledge Possession
Inherence
Remote transactions up to EUR 30 (for 5
consecutive transactions, or alternatively for
total of EUR 150)
Remote transactions between EUR 30 and EUR
500 provided RBA is applied by the issuer or
the acquirer and their fraud rates are under
specific thresholds
Main EXEMPTIONS  
(for low risk transactions)
Remote transactions to white lists of trusted
beneficiaries and recurring transactions
(SCA is required for the initial ‘subscription’)
Contactless transactions up to EUR 25
(regulation allows up to 30 EUR)
THIS SLIDE DOES NOT CONTAIN ANY LEGAL ADVICE
6

Authentication
Order  
confirmation
Place
order
Payment
method Delivery
€ 95.00 € 95.00
Key change 2
SCA compliance will
require specific
authentication
methods
Device and
touch ID
OTP via SMS* +
Knowledge
factor
Username and
static password
Only card
number
Card data +
OTP via SMS
Compliant with SCA To be clarified by EBA**
Non-exhaustive
✓ ✗ ✗ ✗
✓
?
Non-compliant with SCA✗?
*SMS OTP might be replaced by voice authentication via inbound call if SMS OTP is considered non-compliant **EBA stands for the European Banking Authority (regulatory agency)
Key change 1
SCA may lead to an
increased step-up
rate on the short-
term
How does Strong Customer Authentication change the customer journey?
7

How does SCA non-compliance impact my business?
Lost revenue
Reputational risk
Fines
How many times have you abandoned your
shopping cart?*
Abandoned purchase at
least once66%77%
34%34%
23%
38%34%
32%
17%21%
25%
11%12%19%
UKSweden Germany
Never
1-2 times
3-5 times
5+ times
66%
9%
Paymen
t related
10%
Change
of mind
Others
66%
71%
42%
49%
75%
41%
8%
Germany
Sweden
UK
What is the reason for cancelling payment?*
*Source: Mastercard Consumer Survey January 2018
SCA non-compliance leads to higher cart
abandonment which represents lost revenue
Once merchants do not comply with EU regulation,
customers may feel unsafe shopping on the website
Regulatory bodies may fine merchants that do
no comply with SCA Examples of
payment issues:
-Too much
information to fill
-Checkout process
was too time
consuming
€
8

Identity Check & EMV 3DS
Multiple authentication methods
- Multiple channels  
(web and mobile App)
- Much more data and options 
(to better manage the risk)
- Payments and beyond
3DS v1 EMV 3DS (v2)
- Web only
- Limited data
- Payments only
Biometric-based authentication 
 
with SMS OTP as back-up
• Less friction
• Less fraud
• More sales
• More business
continuity
9

EMV 3DS / Identity Check Program will significantly enhance authentications
100+ data elements sent
from merchant to issuer
In-app transactions and
any device type supported
User Experience standardized,
optionally using merchant app
look & feel
21 3
Shipment Address
Email
Telephone
...
IP and Wifi Address
Type, Model, OS
Settings (time, Language...)
...
Merchant Category
Merchant Risk Info (e.g. customer already
authenticated?)
...
Reduces Risk,
Achieves Compliance with PSD2 RTS
Transaction Monitoring and Transaction
Risk Analysis
Merchant SDK for data collection and user
Interface
Data Elements to specify screen size
10
Issuer provides Data Elements to be shown
by Merchant to cardholder, e.g.
• Text, Labels
• Data to be Entered by Cardholder
Only user friendly authentication methods
allowed
Key Performance Indicators must be met

PSD2 and SCA (from 14 September 2019) 
Overview of the SCA exemptions for card Remote Payments
scope
% of txs
with SCA Out of scopeIn scope of the RTS for SCA
Anonymous prepaid cards
Mail Order / Telephone
Order (MOTO)
Inter / ‘one leg’ transactions
Merchant Initiated Payment (a)
Secure corporate payments (art 17)
White lists of trusted beneficiaries (art 13)
Recurring transactions (art 14) 
- same amount, same payee
Low-value transactions (art 16)  
<30 EUR - with counter limitation
All“PSPs”
Transaction Risk Analysis (art 18)
up to 30€ with no counter limitation  
up to 100€ if fraud <13 bps  
up to 250€ if fraud <6bps 
up to 500€ if fraud <1bps
Lowfraud
“PSPs”
SCA exemptions
enable the most
frictionless
customer UX (no
cardholder
challenge) allowing
higher flexibility on
the biggest part of
CNP business
11(a) Subject to confirmation by EBA

28% of issuers indicated that no-EMV 3DS authorizations will be declined, if subject to PSD2 SCA
12
25%
47%
12%
15%
Always decline
Decline if subject to PSD2 RTS
Decline if subject to PSD2 and no exemption appli
PSD2 will not change current processing
Source: Survey on 27 August 2018 with 110 European issuers
Market survey: What will an issuer do with a non authenticated transaction?

Whitelisting
Exemption regardless of Amount

‘One click payments’ on a specific merchant website, meaning when making a next purchase the order is automatically charged to
the payment method and shipped to the address associated with your ‘one click payments’.
Option A: after the completion of the transaction Option B: on the authentication page
Whitelisting - During checkout

When opening his banking app the customer can be offered the option to make ‘one click payments’ on one or more merchant
websites, meaning when making a next purchase the order is automatically charged to the payment method and shipped to the
address associated with your ‘one click payments’. It may also be able to control the payment interactions with each of the
websites (such as setting spending limits or receiving spending alerts).
Whitelisting – Outside of checkout

Plan for 2019
Convenient Compliance with PSD2

Transition period before September 2019
17
Identity Check
JAN’19
Issuers support  
Identity Check Brand & Program
APRIL 2019
SEPTEMBER 2019
Dec 2019
EMV 3-D Secure 2.0
Biometrics and EMV registrations
Acquirer have to ensure that Identity Check und
EMV-3DS is used by merchants
Issuer und Acquirer must support EMV-3DS
Transition phase with rising 3DS volume
better RBA
3-D Secure 2.0 mandatory
already established  
at many banks Reaching customer base of conveniently
transacting SCA
Whitelisting
Pilots in Feb 2019
Authentication Delegation with
Auth Express
Q1 Contract Potential Start of Pilots

19
• Implement EMV 3DS server (plug-in) – execute on Specs 2.2. as soon as possible
• Add Identity Check brand to site / check terms & conditions
• Discuss with your Acquirer and Payment Service Providers potential exemptions they plan to
leverage
• Assess the importance of each exemption for you
– Whitelisting
– Low Value
– Transaction Risk Analysis
• Support new data elements in authorization message (DS Transaction ID, Protocol version,
acquirer exemption), retry with 3DS when “no-3DS” authorization is declined
• Gather information for best flagging of authentications to avoid step-up (deliver as much
data as possible from merchant to issuer)
Recommended Actions

EBE 2019 - The end of passwords: Two-factor-authentication and biometrics are coming 2019

More Related Content

What's hot (17)

Similar to EBE 2019 - The end of passwords: Two-factor-authentication and biometrics are coming 2019 (20)

More from E-Commerce Berlin EXPO (20)

Recently uploaded (20)

EBE 2019 - The end of passwords: Two-factor-authentication and biometrics are coming 2019