iSignthis Ltd “every card, any IP device, anywhere”
www.isignthis.com
EurIng John Karantzis B.E. LL.M
Contact : [email protected]
Re-using Existing Global Financial Networks
to authenticate Card Not Present (CNP) Payments
Australian Patents AU 201000533 A4 & AU 2011235612 US Patent Application 13/576,477
International Patent Application No : PCT/AU2011/000377 International Patent Applications Pending /Granted in Europe, Africa, Asia, Oceania, North and South America
What is Authentication Regulation (Global, SEPA : PSD+ ECB) : Authentication Possible Solutions Open Acceptance Models v Card Scheme Specific Re-using existing network to authenticate payments Other Applications
Terminology :
“In-Band” - is the sending of control information within the core
message. Ie a message within a message. “Out of Band” (OOB) – the use of an independent means to transfer
control information. Eg SMS is independent to email. “PAN” is the primary or personal account number, usually 16 digits for
a credit card.
2
Overview
About iSignthis Ltd
iSignthis Ltd is a Melbourne, Australia, headquartered company. We provide authentication solutions in response to ongoing market & regulatory requirements.
We manage CNP/online risk by authenticating transactions.
We provide EU27/SEPA ECB/PSD mandatory compliance solutions for payment service providers/acquirers/eWallets (PSP’s).
Patents in process/granted in Europe, Americas, Asia, Africa & Oceania.
3
Intro
du
ction
iSignthis Ltd : Identity Authentication
Authentication is a means of verifying a persons identity.
Financial Authentication relies upon verified KYC credentials from trusted sources (eg Issuer).
Risk Based Assessment (RBA) is NOT authentication. RBA includes AI/predictive/Rules Based/ Neural Nets/Adaptive/Fuzzy logic systems etc
4
What is Authentication?
Backg
rou
nd
5
Plugging the RBA Gaps
via Authentication
~Low Risk Transactions, 85% processed & passed through
In markets where authentication not mandated, use authentication for revenue assurance and minimise revenue leakage, in conjunction with RBA. Also solves the foregone revenue challenge. In the SEPA > what will PSP’s risk appetite be? What % will be authenticated?
Backg
rou
nd
Euro Central Bank (ECB) has mandated on the 31/1/13 that strong
authentication (two factor) required for all online transactions from Feb 2015, for SEPA zone.
PSD Articles 58 – 63 impose strict liability and responsibility on
acquiring PSP’s and eWallets for fraud, unless strong authentication is in use.
Liability shift from PSP* to issuer upon use of strong authentication.
PSP is most often not the issuer or acquirer for any given transaction (even if an issuer/acquirer associated with card schemes/association(s) themselves).
6
European PSP’s The mandatory compliance Issue
iSignthis Ltd : Identity Authentication
Co
mp
liance
EU27/SEPA Payment Services Directive (PSD) & ECB 31st Jan 2013 Regulations:
The 2015 Challenge
All acquiring PSP’s / eWallets to authenticate transactions using the issuer’s cardholder credentials.
How are PSP’s to do this if there is no relationship between PSP/acquirer/eWallet and the issuer?
What incentive/penalty does issuer have to comply?
How to use existing networks to provide the causal link without new dedicated networks and complex technical interfaces to issuer?
How to reduce PSP risk whilst promoting multi card scheme acceptance?
7
Co
mp
liance
iSignthis Ltd : Identity Authentication
8
Solution Overview Uses Issuer Cardholder KYC
Credentials for Authentication (Euro Central Bank Compliant)
Use Data Profiling for Risk Based Assessment
(Not Euro Central Bank Compliant)
High Rollout Cost / Complexity
Low Rollout Cost / Complexity
Risk Based Assessment (RBA) Quadrant
On the fly Enrolment / 100% reach of cards Acquirer Authentication
Quadrant Issuer Authentication Quadrant
Issuer or Continuous Notification (Black List) Quadrant
Valu
e P
rop
ositio
n
iSignthis Ltd : Identity Authentication
Issuer’s develop a networked, dedicated, independent database of cardholder KYC credentials per PAN and confirm during registration. >>>> 3D Secure. (issuing side authentication)
Acquirer’s/eWallets re-use existing Issuer online/phone banking and Issuer KYC credentials to register PAN/authenticate. >>>> iSignthis. (acquiring side authentication)
9
Build or re-use? The Solutions to ECB Requirements
iSignthis Ltd : iDentity Authentication
So
lutio
ns
10
Open up Acceptance with Universal Authentication
iSignthis Ltd : Identity Authentication
So
lutio
ns
11
In-Band OTP Generation
(Patented)
Say, agreed transaction sum : €100 > ‘A’
iSignthis : 1st Split : €70.70 (random) > ‘B’
2nd Split $29.30 (balancing) > ‘C’
A=B+C (always) and
(B/A)% + (C/A)% = (A/A)= 100% (works for forex)
B+C are processed as two normal charges via existing financial networks in real time.
B and C are unique to any Trx, forming OTP’s. Only cardholder can pass issuer security to retrieve
iSignthis Ltd : Identity Authentication
Ge
ne
rate in
Ban
d O
TP
Re-Using Existing Networks
3/22/2013 iSignthis Ltd : Identity Authentication
12
12
>Could Classify Transactions with Risk Based Assessment >Low frequency requirement. >Initial enrolment, and validate every 6 months. OR/ >If risk profile changes
13 iSignthis Ltd : Identity Authentication
OO
B R
etrie
val of O
TP
14
iSignthis Card Enrolment/Primary Authentication/Mobile Link
Infrequent. Low friction. Post sale. Enrolment of Card PAN without intrusive signup or PII being requested
iSignthis Ltd : Identity Authentication
OO
B R
esp
on
se
15
Secondary Authentication Process (post PAN enrolment + Mobile linked)
Ind
ep
en
de
nt S
eco
nd
ary OO
B
16
Feb 2015: PSD Compliance
>Card scheme agnostic/independent >IP Device Agnostic (any internet device) >Single Integration for all schemes >Global Reach >No issuer involvement
>Card Scheme centric/dependent >Often Separate card scheme by card scheme integration. >Limited reach based on pre-enrolment >Major involvement by issuer
Co
mp
arison
17
eWallet operators want the broadest sources of funding
• Authenticate incoming funds to create a trusted micropayment source
• promote eWallet top up, similar to real wallet use
• Encourages frictionless outbound micropayments • larger or riskier outgoing transactions can still be authenticated
case by case using OTP via SMS.
Ap
plicatio
n
Once strong authentication (with verified KYC) is available, there are new opportunities/possibilities for ;
e-contract signing
e-mandates
e-conveyancing
i-identity with tokenisation
18
Other Applications
Links:
www.isignthis.com & www.merchantprotect.com.au ECB 31/1/13 Regulations : http://www.ecb.eu/press/pr/date/2013/html/pr130131_1.en.html (Note : These are recommendations that must be implemented by EU27 as minimum requirements, “The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to supporting the implementation of the recommendations in their respective jurisdictions and will strive to ensure effective and consistent implementation within the EEA.”)
Financial Services Authority (UK) & the PSD : http://www.fsa.gov.uk/doing/regulated/banking/psd and http://www.fsa.gov.uk/static/pubs/other/psd_approach_oct12.pdf The information in this presentation is not legal advice, and are the views of the presenter. PSP’s should seek legal advice in order to determine their compliance requirements.
19
Thank you
Th
ank yo
u
iSignthis Ltd : Identity Authentication
Appendices
iSignthis Ltd : iDentity Authentication 20
21
Inserting In-Band OTP’s into Existing Networks
Compliance & InfoSec
22
Se
curity
iSignthis Ltd : Identity Authentication
23
iSignthis Process Combining Proven Best Practice & Customer
Experience with Patented Innovation
Web • iSignthis enhances &
simplifies proven customer experience interfaces by eliminating intrusive PII request and advance signup requirements.
iSignthis uses Issuer’s • Cardholder KYC, and • Banking portal Security, and • Existing Banking Portals to
identify customers. • Existing payment networks
Card Schemes / Associations • iSignthis use “as is”
legacy transaction Networks
• We don’t require a dedicated authentication network (eg 3DSecure.)
Mobile • iSignthis adopts
streamlined practice to cell/mobile by using SMS to deliver OTP, post enrolment.
• We enhance security by adding PIN
• We mitigate high abandonment rate by an improved customer experience
For PSP’s • iSignthis vastly simplifies
Integration • We encompass all cards/schemes with single point integration • ECB 31/1/13 Reg. compliant
Value proposition should include: For merchants;
Revenue assurance maximisation Revenue leakage minimisation Eliminate false positives and false negatives from RBA systems. Provide open acceptance of many/all card types/schemes Eliminate manual reviews and checks Provide cross border authentication
For PSP/Acquirer/eWallet
Reduce internal fraud team & call center costs. Minimise chargebacks and administrative costs Single global solution with low rollout capital expenditure an independent “all card scheme” authentication system. Compliance with EU27 Euro Central Bank regulations
24
The Rest of the World
Marke
t
Feature 3DSecure (3 Domains) iSignthis (1 Domain)
Acquirer pre-enrolment/ technical links required
Yes, complex No
Issuer pre-enrolment/ technical links required
Yes No
Pre Sale Keystrokes Yes, including leave merchant’s website No
Sales Abandonment Rate (Impact on sale) High (Pre Sale steps) Very Low (Post Sale step)
HTML5/.app No, not available Yes, implemented.
Card Coverage/Reach 15% Visa, 15% MCard, <1% Amex, <1%JCB, 0% Discover/Diners, 0% CB, 0%CUP or circa 6% overall
100% of all card associations and cards issued globally.
Liability Shift Limited to reach/enrolled cards, then applicable law.
EC/EU27 Law, Australian EFT Code of Conduct, India. Singapore, Canada?
Personal Data (PII) Disclosure High, with Complex signup None
Interface Separate iFrame per participating bank Customers familiar, trusted online banking interface
Integration V Complex: multiple parties, issuers, card associations, acquirers, service providers
Single interface at merchant Payment Gateway/PSP for all card types.
Risk Based Assessment Yes Yes 25
Comparison 3DSecure / iSignthis
Be
nch
markin
g
Our card enrolment process is similar to that experienced by over 90 million PayPal customers to register accounts.
Its got some key differences and advantages however.
Card Enrolment:
Familiar Customer Experience
Wh
y iSig
nth
is?
iSignthis Ltd : Identity Authentication 26
iSignthis is: • An improved customer experience (no
intrusive signup/ PII requested) • Faster (iSignthis charges are handled real time
versus PayPal which take 3-5 days) • Transaction specific, so can be primary
transaction authentication. Not limited to verifying just the card per PayPal process.
• Cross currency capable (without needing exchange rate details)
• also patented and protected*
iSignthis Safekey (from AMEX Help page)
Verified by Visa / (SecureCode) (from ANZ Help page)
Step 1 : Confirm your identity by accessing your credit card statement using phone or online banking, and locating the two charges from the participating merchant. Note : You can access your bank at any time within the next 10 days. A slight delay may be experienced, as some banks process charges overnight to online accounts. Instant access to charges s is available by phoning your bank.
Step 1 : Accept the SafeKey Terms and Conditions.
Step 1 :To enrol, go shopping online at a participating Verified by Visa merchant. When you are ready to buy, enter your Visa card details in the payment page.
Step 2 : Enter the two values you located above, together with your mobile # and a 6 digit PIN.
Step 2 : Enter your 15-digit Card number.
Step 2 You will automatically be prompted for Verified by Visa enrolment. Enter the following details: Name shown on your ANZ Visa card Signature panel code - the last three digits on the signature panel on the back of your card Card expiry date Your date of birth. Click the 'Enrol Now' button. Note: none of this information will be disclosed to the merchant.
Step 3 : Simultaneously authenticate your order & optionally register your mobile upon accepting the iSignthis terms and conditions
Step 3 : Confirm your identity by entering some security information, which you have given us previously on your Card account
Step 3 You will now be asked to create a personal message and Verified by Visa password. Make sure you remember your password; you will be prompted for it each time you shop online at a Verified by Visa store. Click the Submit button.
. Step 4 : Create your SafeKey password and personal message
Step 4 A confirmation page will be displayed. Your ANZ Visa card is now enrolled for Verified by Visa.
27
Card Enrolment Comparison iSignthis is simpler, without PII disclosure
3DSecure involves Intrusive PII demands, contributing to abandonment
iSignthis uses issuer’s security and KYC, No PII requested.