Strong Customer Authentication & Biometrics
2 likes1,712 views
The document discusses the regulatory changes in Europe regarding strong customer authentication (SCA) due to the European Payment Service Directive 2 (PSD2), emphasizing the need for dual-factor authentication for electronic payments. It highlights the role of 3-D Secure 2.0 and biometrics as solutions to enhance security and improve user experiences while complying with these regulations. The collaboration between issuers and merchants, as well as innovations from service providers, is essential for effective implementation and adaptation to the new payment landscape.
Strong Customer Authentication & Biometrics
- 1. Strong Customer Authentication & Biometrics January, 2019
- 2. ©2019 Visa. All rights reserved. Visa public2 Today’s discussion: 1. Changing regulatory landscape (Europe) & the impact on payments 2. Key enablers 3. 3DS 2.0 4. Visa Biometrics 5. Implementation details
- 3. ©2019 Visa. All rights reserved. Visa public3 Changing landscape Uncharted territory Open ecosystem New payments requirements Ambiguity as we implement ©2019 Visa. All rights reserved. Visa public
- 4. ©2019 Visa. All rights reserved. Visa public4 New Regulation • Strong Customer Authentication (SCA) Unless the payment qualifies as low risk, customers must authenticate transaction with at least two independent factors • Largest impact will be on remote electronic payments SCA must be applied to all electronic payments unless out of scope or exempted. Financial transactions can be classified in two ways: European Payment Service Directive 2 Something you know Something you have Something you are (PSD2 - September 2019) Exemptions Contactless payments at point of sale1 Unattended transport and parking terminals Recurring transactions Low value transactions Secure corporate payments Transaction risk analysis Trusted beneficiaries 1 2 3 4 5 6 7 1 Contactless transactions are exempt from SCA unless transactions exceed the count/amount thresholds Cardholder Initiated Transactions (CIT) In-scope Merchant Initiated Transactions (MIT) Out of scope Low Risk Transaction Value Band PSP Fraud Rate <€100 13 bps/0.13% €100-€250 6 bps/0.06% €250-€500 1 bps/0.01%
- 5. ©2019 Visa. All rights reserved. Visa public5 3-D Secure 2.0 • Industry standard for authentication • 2.0 has an enhanced user experience, expanded device usage, greater data sharing and is regulatory smart Visa Biometrics • Consumer-friendly alternative to OTP’s • FIDO implementation provides 2- factor authentication with support for fingerprint, face and voice Products & programs for SCA compliance and optimization
- 6. ©2019 Visa. All rights reserved. Visa public6 Issuer Identifies which transactions need additional authentication. Cardholder Most authentication is invisible to the consumer. Merchant Benefits directly from collaborative data exchange. 3-D Secure 2.0 —Who is involved? Data Expanded data contextualizes the authentication.
- 7. ©2019 Visa. All rights reserved. Visa public7 The issuer collaborates with the merchant to authenticate the cardholder’s identity before authorization occurs 3-D Secure 2.0 —How it works. Authentication verifies the identity of the cardholder. Authentication with 3-D Secure 2.0 complements authorization to strengthen issuer confidence in approving the transaction. Authentication with 3-D Secure Authorization
- 8. ©2019 Visa. All rights reserved. Visa public8 73% of global consumers surveyed would be comfortable using biometrics to make a payment1 Research conducted by Visa from Sept-Nov 2017, among over 10,000 consumers who use at least one credit card, debit card, and/or mobile pay. Why biometrics? 73% Singapore 68% Canada 70% U.S. 83% Brazil 75% UAE 73% Australia 70% New Zealand 74% Japan 78% China 76% South Africa 66% France 65% Ukraine 73% S. Korea 63% Russia
- 9. ©2019 Visa. All rights reserved. Visa public9 Visa Biometrics Streamline SCA by enabling biometrics authentication with 3DS 2.0 & FIDO This page is intended for illustrative purposes only. It contains depictions of a product currently in the process of deployment, and should be understood as a representation of the potential features of the fully-deployed product. The final version of this product may not contain all of the features described in this presentation. Place order Authenticate with Biometrics Merchant SuccessNotification opens issuer app
- 10. ©2019 Visa. All rights reserved. Visa public10 Customer How it works Visa Biometrics with 3DS and FIDO 3DS Program Server Visa Biometric FIDO Server ACSMerchant Server Customer places order Request to 3DS Program Request to issuer’s ACS Request for issuer to perform consumer authentication Issuer initiates authentication request with Visa Issuer Server Issuer sends push notification to issuer’s mobile app for customer to authenticate Customer selects push notification and launches mobile app, which requests authentication policy from issuer’s server Issuer requests authentication policy Issuer sends authentication policy to issuer’s mobile app Customer authenticates with biometrics and result is returned to issuer’s server Issuer’s server completes authentication with Visa Issuer sends authentication resultACS sends response3DS Program returns resultsMerchant approves/denies transaction
- 11. ©2019 Visa. All rights reserved. Visa public11 Source: FIDO Authentication for Mobile Payments – Featuring Biometrics for 3-D Secure 2.0 Why we chose a FIDO implementation Secure • Asymmetric key cryptography • End-to-end design and review with security industry Compliant • Aligns with NIST, W3C, and PSD2 • Authenticators have been certified • Out-of-band on single device Data & Control • Metadata from device, authenticator • Flexible UX above standard API to manage policies Scale • Financial ROI of open standard economics • Mitigate development risk
- 12. ©2019 Visa. All rights reserved. Visa public12 Category RTS FIDO Program Security measures shall be documented, tested, evaluated and audited. The FIDO certification program provides for an independent assessment of the security level. The assessment is typically performed by a FIDO accredited laboratory and evaluated by the FIDO technical staff. Authentication Factors Measures shall be adopted to mitigate the risk that authentication factors are uncovered, used or disclosed to unauthorized parties. Devices that read biometric authentication shall have a very low probability of an unauthorized user being authenticated. Once authentication factors are stored by the FIDO authenticator during registration they do not leave the authenticator and cannot be read, copied or transferred. FIDO authenticators that capture, store, read and compare biometric data are subject to a FIDO biometric certification that attests to the quality level of the biometric implementation. Criteria such as FAR, FRR and PAD are tested. Multipurpose Device Security measures including data protection, secured communication and separated environment shall be adopted when using a multi-purpose device (i.e. smartphone or tablet.) FIDO authenticators are commonly implemented in multi- purposes devices. The FIDO security standards call for firewalling of the FIDO authenticator from other applications in the device through a separated execution environment and protection of this environment from intrusion or alteration. A TLS protected channel is used for communication between the authentication and server. FIDO addresses many items of the European Banking Authority’s Regulatory Technical Standards (RTS) with a few key areas detailed below How FIDO helps with SCA compliance
- 13. ©2019 Visa. All rights reserved. Visa public13 • PSD2 will challenge the payments industry but it will also bring an opportunity for players & solutions to excel ─ The combination of FIDO, Biometrics & 3DS 2.0 meets the demand of both regulators and consumers • Issuers & merchants: ─ Understand what the impacts are to your business ─ Plan and prioritize implementation of 3DS 2.0, authorization message enhancements, tokenization, and biometrics ─ Work with service providers on timing for SCA readiness and how to address exemptions • Service providers: ─ Innovate and continue to work with industry groups (FIDO, EMVCo, etc.) to prepare the next generation of solutions Key Takeaways Moving forward together