The end of passwords: Two-factor-authentication and biometrics are coming 2019

E-commerce Berlin Expo
February 20, 2019
The end of passwords:
Two-factor-authentication and biometrics coming 2019

©2018Mastercard.ProprietaryandConfidential
STATUS QUO
The challenges in the
digital payments
landscape are creating
the need for better
authentication
2
1.MASTERCARD. JANUARY THROUGH NOVEMBER 2017 DATA, ACROSS ALL CARD TYPES. 2017.
2. EUROMONITOR, FICO. 2016.
Digital commerce continues to grow — with a
greater share via mobile. With this growth and
the global migration to EMV chip in the physical
world, card-not-present (CNP) continues to be
the main area of card fraud. But consumers
expect digital payments to be as simple and
secure as in the physical world.
©2018Mastercard.ProprietaryandConfidential.
higher is the digital fraud vs. physical
in Europe – together with lower
approval rates this holds the risk of
negative impact on usage and attrition1
>10x
DIGITAL PAYMENTS HAVE HIGHER FRAUD RATES
97% vs. 85%
is the gap between physical and digital
approval rates in Europe1
DIGITAL PAYMENTS HAVE LOWER APPROVAL RATES
>75%
of total card fraud in the region is from
card-not-present (CNP) — and in most
markets is on the rise2
THE MAJORITY OF FRAUD IS CNP

3
Current authentication tools and methods do not meet the
need for simple and secure payments
PAIN POINTS
Consumers are concerned about
card fraud2, still one out of five uses
the same password for every
website7
>1/3
Consumers are impacted by
fraud and high false decline rates
online purchases in Europe are
abandoned before completion120-25%
Merchants hesitate to adopt
new technologies and lose revenue
Issuers are confronted by
growing competition and
regulation issues
Of breaches could have been
prevented by stronger
authentication methods such as
dynamic passwords and
biometrics3
62% Europeans say they use their
replacement card less, post
fraud—with more than 1 out of 10
actually switching banks5
1/3
Of payment revenue is at risk for
European issuers within the next
five years, from digital disruptors6
upto23%
1. DIGITAS LBI. DIGITAL. CONNECTED COMMERCE SURVEY. 2017 2 AITÉ. GLOBAL SECURITY ENGAGEMENT SCORECARD. 2016 3 VERIZON. DATA PASSWORDS
BREACH INVESTIGATIONS REPORT. 2015 4 JAVELIN. FUTURE-PROOFING CARD AUTHORIZATION. 2015 5 AITE. GLOBAL CONSUMER CARD FRAUD: WHERE CARD
FRAUD IS COMING FROM. 2016 6 . MCKINSEY. A BRAVE NEW WORLD FOR GLOBAL BANKING. 2016 7 ACCENTURE. DIGITAL CONSUMER SURVEY OF 24,000
CONSUMERS IN 24 COUNTRIES. 2015
1 outof3 Transactions declined due to
suspected fraud are believed to be
legitimate4

Strong Customer
Authentication (SCA)
Merchants will need to include mandatory
strong authentication from September 2019

What is Strong Customer Authentication (SCA)?
SCOPE
• Online / remote
payments
(incl. card on
file)
• Mobile in store
payments
• Access to
mobile
banking app
KEY PRINCIPLE
2-factor 2-factor
2-factor
Knowledge Possession
Inherence
Remote transactions up to EUR 30 (for 5
consecutive transactions, or alternatively
for total of EUR 150)
Remote transactions between EUR 30
and EUR 500 provided RBA is applied by
the issuer or the acquirer and their fraud
rates are under specific thresholds
Main EXEMPTIONS
(for low risk transactions)
Remote transactions to white lists of
trusted beneficiaries and recurring
transactions (SCA is required for the
initial ‘subscription’)
Contactless transactions up to EUR 25
(regulation allows up to 30 EUR)
THIS SLIDE DOES NOT CONTAIN ANY LEGAL ADVICE
5

Authentication
Order
confirmation
Place
order
Payment
method Delivery
€ 95.00 € 95.00
Key change 2
SCA compliance will
require specific
authentication
methods
Device and
touch ID
OTP via SMS* +
Knowledge
factor
Username and
static
password
Only card
number
Card data +
OTP via SMS
Compliant with SCA To be clarified by EBA**
Non-
exhaustive
P O O O
P
?
Non-compliant with SCAO?
*SMS OTP might be replaced by voice authentication via inbound call if SMS OTP is considered non-compliant **EBA stands for the European Banking Authority (regulatory agency)
Key change 1
SCA may lead to an
increased step-up
rate on the short-
term
How does Strong Customer Authentication change the customer journey?
6

How does SCA non-compliance impact my business?
Lost revenue
Reputational risk
Fines
How many times have you abandoned your
shopping cart?*
Abandoned purchase
at least once66%77%
19% 12% 11%
25%
21% 17%
32%
34% 38%
23% 34% 34%
UKSweden Germany
Never
1-2 times
3-5 times
5+ times
66%
9%
Paymen
t related
10%
Change
of mind
Others
66%
71%
42%
49%
75%
41%
8%
Germany
Sweden
UK
What is the reason for cancelling payment?*
*Source: Mastercard Consumer Survey January 2018
SCA non-compliance leads to higher cart
abandonment which represents lost revenue
Once merchants do not comply with EU regulation,
customers may feel unsafe shopping on the website
Regulatory bodies may fine merchants that
do no comply with SCA Examples of
payment issues:
-Too much
information to fill
-Checkout
process was too
time consuming
€
7

Identity Check & EMV 3DS
Multiple authentication methods
- Multiple channels
(web and mobile App)
- Much more data and options
(to better manage the risk)
- Payments and beyond
3DS v1 EMV 3DS (v2)
- Web only
- Limited data
- Payments only
Biometric-based authentication
with SMS OTP as back-up
• Less friction
• Less fraud
• More sales
• More business
continuity
8

EMV 3DS / Identity Check Program will significantly enhance authentications
100+ data elements sent
from merchant to issuer
In-app transactions and any
device type supported
User Experience standardized,
optionally using merchant app
look & feel
Shipment Address
Email
Telephone
...
IP and Wifi Address
Type, Model, OS
Settings (time, Language...)
...
Merchant Category
Merchant Risk Info (e.g. customer
already authenticated?)
...
Reduces Risk,
Achieves Compliance with PSD2 RTS
Transaction Monitoring and Transaction Risk
Analysis
Merchant SDK for data collection and
user Interface
Data Elements to specify screen size
9
Issuer provides Data Elements to be
shown by Merchant to cardholder, e.g.
• Text, Labels
• Data to be Entered by Cardholder
Only user friendly authentication
methods allowed
Key Performance Indicators must be
met

PSD2 and SCA (from 14 September 2019)
Overview of the SCA exemptions for card Remote Payments
scope
% of txs
with SCA Out of scopeIn scope of the RTS for SCA
Anonymous prepaid cards
Mail Order / Telephone
Order (MOTO)
Inter / ‘one leg’ transactions
Merchant Initiated Payment (a)
Secure corporate payments (art 17)
White lists of trusted beneficiaries (art 13)
Recurring transactions (art 14)
- same amount, same payee
Low-value transactions (art 16)
<30 EUR - with counter limitation
All“PSPs”
Transaction Risk Analysis (art 18)
up to 30€ with no counter limitation
up to 100€ if fraud <13 bps
up to 250€ if fraud <6bps
up to 500€ if fraud <1bps
Lowfraud
“PSPs”
10(a) Subject to confirmation by EBA

28% of issuers indicated that no-EMV 3DS authorizations will be declined, if subject to PSD2 SCA
11
16%
12%
47%
25%
Always decline
Decline if subject to PSD2 RTS
Decline if subject to PSD2 and no
exemption applied
PSD2 will not change current
processing
Source: Survey on 27 August 2018 with 110 European issuers
Market survey: What will an issuer do with a non authenticated transaction?

Whitelisting
Exemption regardless of Amount

‘One click payments’ on a specific merchant website, meaning when making a next purchase the order is automatically charged
to the payment method and shipped to the address associated with your ‘one click payments’.
Option A: after the completion of the transaction Option B: on the authentication page
Whitelisting - During checkout

When opening his banking app the customer can be offered the option to make ‘one click payments’ on one or more merchant
websites, meaning when making a next purchase the order is automatically charged to the payment method and shipped to
the address associated with your ‘one click payments’. It may also be able to control the payment interactions with each of the
websites (such as setting spending limits or receiving spending alerts).
Whitelisting – Outside of checkout

Plan for 2019
Convenient Compliance with PSD2

Transition period before September 2019
16
Identity Check
JAN’19
Issuers support
Identity Check Brand & Program
APRIL 2019
SEPTEMBER 2019
Dec 2019
EMV 3-D Secure 2.0
Biometrics and EMV registrations
Acquirer have to ensure that Identity Check
und EMV-3DS is used by merchants
Issuer und Acquirer must support EMV-3DS
Transition phase with rising 3DS volume
better RBA
3-D Secure 2.0 mandatory
already established
at many banks Reaching customer base of conveniently
transacting SCA
Whitelisting
Pilots in Feb 2019
Authentication Delegation with
Auth Express
Q1 Contract Potential Start of Pilots

18
• Implement EMV 3DS server (plug-in) – execute on Specs 2.2. as soon as possible
• Add Identity Check brand to site / check terms & conditions
• Discuss with your Acquirer and Payment Service Providers potential exemptions they plan
to leverage
• Assess the importance of each exemption for you
– Whitelisting
– Low Value
– Transaction Risk Analysis
• Support new data elements in authorization message (DS Transaction ID, Protocol version,
acquirer exemption), retry with 3DS when “no-3DS” authorization is declined
• Gather information for best flagging of authentications to avoid step-up (deliver as much
data as possible from merchant to issuer)
Recommended Actions

The end of passwords: Two-factor-authentication and biometrics are coming 2019

More Related Content

What's hot (19)

Similar to The end of passwords: Two-factor-authentication and biometrics are coming 2019 (20)

More from JanSobczak5 (15)

Recently uploaded (20)

The end of passwords: Two-factor-authentication and biometrics are coming 2019

Editor's Notes