November 2011

1

Mike Hendry Page 1

PSE Consulting Merchant Acquiring Conference

November 2011

Mike Hendry

Payment Systems Consultant

Beyond 3D Secure

November 2011

2

Card payments

Where we are

Where might we want to go?

Implications for acquirers

Mike Hendry Page 2

November 2011

3

Where we are

3D Secure works

• Both technically and in reducing fraud

• Major benefit to several online businesses, e.g. travel

But users hate it

• Many powerful merchants won’t use it

• Customers are often confused or misled by messages

• Slows flow of transaction -> many dropouts

• 99% of customers are genuine

• Several issuers now interpose risk management to approve low-risk transactions

© Mike Hendry Page 3

November 2011

4

CNP now by far the largest component of fraud in many markets, e.g. UK:

© Mike Hendry Page 4

6%

9%

72%

11%

2%

1995

Card-not-present

Counterfeit

Lost/stolen

Mail Non-receipt

Card ID Theft

42%

22%

20%

9%

7%

2005

Card-not-present

Counterfeit

Lost/stolen

Mail Non-receipt

Card ID Theft

2010

Source: UK Cards Association

November 2011

5

… but is often dwarfed by unnecessary declines

© Mike Hendry Page 5

Fraud

losses (%

of e-comm

turnover)

Fraud

attempts

False

positives

(lost

business)

Abandoned

trolleys

Low-cost

airline

0.3% 4% 20%

Full-cost

airline

0.9% 5% 25%

Electronics

retailer

0.75% 3% 20% 50%

Source: Retail Decisions, electronics retailer

November 2011

6

Principles and practice

Important to distinguish between 3D principle:

• Issuer takes responsibility for authenticating cardholder, acquirer for merchant, scheme for interoperability

.. and implementations:

• VbV, SecureCode

• Issuer authentication & signup methods

• Merchant Plug-Ins and frames (messages etc)

• These could all be improved

© Mike Hendry Page 6

November 2011

7

Card payments

Where we are

Where might we want to go?

Implications for acquirers

Mike Hendry Page 7

November 2011

8

How could this be improved?

• Improve 3D implementations

• Alternative (non-3DS) password-based methods

• Increased reliance on wallets

• OnLine Immediate Payment systems

• Out of band authentication

• Biometrics

• National PKIs

• (Universal) federated PKI

• Other tokens

© Mike Hendry Page 8

November 2011

10

Improve existing 3D implementations

Issuers

• More intelligent risk management

• Easier /no signup

• Token-based

Merchants / acquirers

• Better, more consistent presentation of ACS frame

• Better wording of messages

• ? Acquirer hosting of payments page

• Avoid conflicts with merchant risk management

Schemes / ACS operators

• Faster throughput / lower latency

© Mike Hendry Page 10

November 2011

11

Alternative (non-3DS) password-based methods

TANs, iTAN, eTAN, mTAN etc

• Increasing levels of defence against phishing & man-in-the-middle attacks

• Can strengthen eTAN/mTAN with initial password entry, CAPTCHA image etc

• E-banking method; adaptation to card payments relies on 3D principle

Mike Hendry Page 11

Virtual keypads

• Merge authentication & authorisation processes

• More efficient but only works with numeric PINs

November 2011

12

Increased reliance on wallets

“Cardholder-friendly” option

Cardholders choose their own wallet

Allows mix of prepaid, direct debit & card payment

Wallet provider takes risk based on more detailed data about user & transaction history (?)

Extra player in value chain

Is risk management really “better”?

Potentially greater risk to identity and privacy

© Mike Hendry Page 12

November 2011

13

OnLine Immediate Payment systems

e.g. iDEAL, SecureVault Payments, giropay …

• iDEAL is most successful: 55% of Dutch customers’ payments

Work best for domestic payments

• Since merchant needs dedicated logo and payments page

• Domestic ACH rules apply

“Push” payments have lower chargeback rates

• But can be problems with recurring payments, refunds etc

New commercial structure

• Depends on national ACH rules not card scheme rules

• Merchant’s bank is passive

No authentication of merchant to cardholder

© Mike Hendry Page 13

November 2011

14

Out of band authentication

Send auth code by SMS or voice (or vice versa)

Use mobile app to enter transaction data, get authentication code (or pre-approval??)

Adds an authentication “factor” (something you have)

© Mike Hendry Page 14

November 2011

15

Biometrics

Banking industry has always had problems with biometrics:

• FAR/FRR crossover

• Proprietary standards

• Which biometric (social acceptability, universality etc)?

Currently on offer (and suitable for e-commerce):

• Face recognition

• Fingerprint

• Voice

Range of architecture options

• Who is the service provider and who is its client?

© Mike Hendry Page 15

November 2011

16

Public Key Infrastructures

National, e.g. Brazil, Malaysia, HK, Italy, Norway, Sweden, Estonia – and UK??

• Government effectively warrants the identity of

parties to a transaction (individual or corporate)

• Certificate stored on card (needs card reader in PC)

• India building centralised system (with biometrics:

needs fingerprint reader in PC)

Or federation of commercial schemes (proposed for universal scheme)

• Individual or organisation obtains a certificate from a commercial operator (minimum standards for registration)

• Schemes recognise each other’s certificates

• Liability issues: schemes MUST be liable for authentication failures –but what about abuse?

© Mike Hendry Page 16

November 2011

17

Other tokens

© Mike Hendry Page 17

Card readers

• Free-standing

• PC-linked (FINread)

Mobile phone with secure signing capability

• Use offline or out-of-band

• Authentication tool across all channels; can be tailored to user needs

• Can also link to retailer apps

• Good fit with banks’ mobile strategies

November 2011

18

Card payments

Where we are

Where might we want to go?

Implications for acquirers

Mike Hendry Page 18

November 2011

19

Implications for acquirers

E-banking and other “push” structures are a threat to acquiring business model

• Difficult to counter this threat directly

• Adapt / add roles to business model ?

Others are nearly all variants on the 3D principle

• 3D principle is here to stay

• But improvements are needed• Performance

• Process and user-friendliness

• Cost-effectiveness

• Acquirers need to accommodate several options

© Mike Hendry Page 19

November 2011

20

Some examples …

• Acquirer hosting of web payment pages (reduces number of process steps)

• Act as intermediary to wallet rather than wallet acting as intermediary to scheme / acquirer (updated version of “walled garden” approach)

• Consider joining federated PKI schemes

• Work with retailers on integrating payment and authentication into their mobile apps

• Ensure that technology can support transactions coming from many channels, in many formats

• Supplementary data, e.g. authentication data, may come through a different channel from payment transaction

• Should acquirer be in the loop or not?

© Mike Hendry Page 20

November 2011

21

Thank-you for your attention

Mike Hendry

mike@mikehendry.com

www.mikehendry.co.uk

Mike Hendry Page 21

November 2011

22

Complex message structure

© Mike Hendry Page 22