November 2011
1
Mike Hendry Page 1
PSE Consulting Merchant Acquiring Conference
November 2011
Mike Hendry
Payment Systems Consultant
Beyond 3D Secure
November 2011
2
Card payments
Where we are
Where might we want to go?
Implications for acquirers
Mike Hendry Page 2
November 2011
3
Where we are
3D Secure works
• Both technically and in reducing fraud
• Major benefit to several online businesses, e.g. travel
But users hate it
• Many powerful merchants won’t use it
• Customers are often confused or misled by messages
• Slows flow of transaction -> many dropouts
• 99% of customers are genuine
• Several issuers now interpose risk management to approve low-risk transactions
© Mike Hendry Page 3
November 2011
4
CNP now by far the largest component of fraud in many markets, e.g. UK:
© Mike Hendry Page 4
6%
9%
72%
11%
2%
1995
Card-not-present
Counterfeit
Lost/stolen
Mail Non-receipt
Card ID Theft
42%
22%
20%
9%
7%
2005
Card-not-present
Counterfeit
Lost/stolen
Mail Non-receipt
Card ID Theft
2010
Source: UK Cards Association
November 2011
5
… but is often dwarfed by unnecessary declines
© Mike Hendry Page 5
Fraud
losses (%
of e-comm
turnover)
Fraud
attempts
False
positives
(lost
business)
Abandoned
trolleys
Low-cost
airline
0.3% 4% 20%
Full-cost
airline
0.9% 5% 25%
Electronics
retailer
0.75% 3% 20% 50%
Source: Retail Decisions, electronics retailer
November 2011
6
Principles and practice
Important to distinguish between 3D principle:
• Issuer takes responsibility for authenticating cardholder, acquirer for merchant, scheme for interoperability
.. and implementations:
• VbV, SecureCode
• Issuer authentication & signup methods
• Merchant Plug-Ins and frames (messages etc)
• These could all be improved
© Mike Hendry Page 6
November 2011
7
Card payments
Where we are
Where might we want to go?
Implications for acquirers
Mike Hendry Page 7
November 2011
8
How could this be improved?
• Improve 3D implementations
• Alternative (non-3DS) password-based methods
• Increased reliance on wallets
• OnLine Immediate Payment systems
• Out of band authentication
• Biometrics
• National PKIs
• (Universal) federated PKI
• Other tokens
© Mike Hendry Page 8
November 2011
10
Improve existing 3D implementations
Issuers
• More intelligent risk management
• Easier /no signup
• Token-based
Merchants / acquirers
• Better, more consistent presentation of ACS frame
• Better wording of messages
• ? Acquirer hosting of payments page
• Avoid conflicts with merchant risk management
Schemes / ACS operators
• Faster throughput / lower latency
© Mike Hendry Page 10
November 2011
11
Alternative (non-3DS) password-based methods
TANs, iTAN, eTAN, mTAN etc
• Increasing levels of defence against phishing & man-in-the-middle attacks
• Can strengthen eTAN/mTAN with initial password entry, CAPTCHA image etc
• E-banking method; adaptation to card payments relies on 3D principle
Mike Hendry Page 11
Virtual keypads
• Merge authentication & authorisation processes
• More efficient but only works with numeric PINs
November 2011
12
Increased reliance on wallets
“Cardholder-friendly” option
Cardholders choose their own wallet
Allows mix of prepaid, direct debit & card payment
Wallet provider takes risk based on more detailed data about user & transaction history (?)
Extra player in value chain
Is risk management really “better”?
Potentially greater risk to identity and privacy
© Mike Hendry Page 12
November 2011
13
OnLine Immediate Payment systems
e.g. iDEAL, SecureVault Payments, giropay …
• iDEAL is most successful: 55% of Dutch customers’ payments
Work best for domestic payments
• Since merchant needs dedicated logo and payments page
• Domestic ACH rules apply
“Push” payments have lower chargeback rates
• But can be problems with recurring payments, refunds etc
New commercial structure
• Depends on national ACH rules not card scheme rules
• Merchant’s bank is passive
No authentication of merchant to cardholder
© Mike Hendry Page 13
November 2011
14
Out of band authentication
Send auth code by SMS or voice (or vice versa)
Use mobile app to enter transaction data, get authentication code (or pre-approval??)
Adds an authentication “factor” (something you have)
© Mike Hendry Page 14
November 2011
15
Biometrics
Banking industry has always had problems with biometrics:
• FAR/FRR crossover
• Proprietary standards
• Which biometric (social acceptability, universality etc)?
Currently on offer (and suitable for e-commerce):
• Face recognition
• Fingerprint
• Voice
Range of architecture options
• Who is the service provider and who is its client?
© Mike Hendry Page 15
November 2011
16
Public Key Infrastructures
National, e.g. Brazil, Malaysia, HK, Italy, Norway, Sweden, Estonia – and UK??
• Government effectively warrants the identity of
parties to a transaction (individual or corporate)
• Certificate stored on card (needs card reader in PC)
• India building centralised system (with biometrics:
needs fingerprint reader in PC)
Or federation of commercial schemes (proposed for universal scheme)
• Individual or organisation obtains a certificate from a commercial operator (minimum standards for registration)
• Schemes recognise each other’s certificates
• Liability issues: schemes MUST be liable for authentication failures –but what about abuse?
© Mike Hendry Page 16
November 2011
17
Other tokens
© Mike Hendry Page 17
Card readers
• Free-standing
• PC-linked (FINread)
Mobile phone with secure signing capability
• Use offline or out-of-band
• Authentication tool across all channels; can be tailored to user needs
• Can also link to retailer apps
• Good fit with banks’ mobile strategies
November 2011
18
Card payments
Where we are
Where might we want to go?
Implications for acquirers
Mike Hendry Page 18
November 2011
19
Implications for acquirers
E-banking and other “push” structures are a threat to acquiring business model
• Difficult to counter this threat directly
• Adapt / add roles to business model ?
Others are nearly all variants on the 3D principle
• 3D principle is here to stay
• But improvements are needed• Performance
• Process and user-friendliness
• Cost-effectiveness
• Acquirers need to accommodate several options
© Mike Hendry Page 19
November 2011
20
Some examples …
• Acquirer hosting of web payment pages (reduces number of process steps)
• Act as intermediary to wallet rather than wallet acting as intermediary to scheme / acquirer (updated version of “walled garden” approach)
• Consider joining federated PKI schemes
• Work with retailers on integrating payment and authentication into their mobile apps
• Ensure that technology can support transactions coming from many channels, in many formats
• Supplementary data, e.g. authentication data, may come through a different channel from payment transaction
• Should acquirer be in the loop or not?
© Mike Hendry Page 20
November 2011
21
Thank-you for your attention
Mike Hendry
www.mikehendry.co.uk
Mike Hendry Page 21
November 2011
22
Complex message structure
© Mike Hendry Page 22