EMV Payment Security – Consumer Authentication

11 Dec
2014

EMV Payment Security – Consumer Authentication

Companies worldwide are starting to conduct more thorough consumer authentication online due to increased fraud.  With the adoption of EMV technology, thorough consumer authentication is even more critical.  Europe, for example, saw a sharp increase in online fraud that followed the deployment of EMVEMV only solves a very small piece of a significant payment problem.  To thwart the card-not-present challenge, organizations look toward consumer authentication processes and technology.

Fraud Losses - Chip and Pin Deployment

What is Consumer Authentication?

Consumer authentication is a process to establish whether a customer controls a particular card number, thereby reducing the likelihood of fraud.  Technology such as ‘3-D Secure’ (3DS), which is branded as Verified by Visa and MasterCard SecureCode, is an example of consumer authentication technology that companies are employing.

3DS is essentially a single sign on system, operated by Visa and MasterCard. Similarly, the primary strength of EMV is its ability to perform authentication of the cardholder.  In essence, consumer authentication is the online version of EMV.  Adoption of 3DS is encouraged by contractual terms on liability.  Merchants who adopt 3DS have reduced liability for disputed transactions.

Security is More Important Than Reduced Liability

While reduced liability is certainly a significant advantage, security should also be a deciding factor.  3DS has been criticized on its lack of academic scrutiny.  Security through obscurity is a key security principle that states the security of a system shouldn’t be dependent upon its secrecy.  Additional public and academic scrutiny is needed for broader support and adoption.  Unfortunately, the research that has been conducted is not favorable.  For example, the 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme.  The most significant thing missing there is verifying the actual consumer.  The issuer is ultimately responsible for customer verification, since they have the relationship with the consumer.  The actual verification system is designed and implemented solely at the issuer’s discretion. Various attack vectors have are already being employed to take advantage of vulnerabilities residing in the issuer’s implementation of consumer authentication.

Psychological acceptability is another key principle to consider as well.  This principle states that the human experience should be as easy with security as it is without security.  A perfect example of this principle is HTTPS versus HTTP.  From a user acceptance standpoint, it is as easy to use HTTPS as it is to use HTTP, even though an additional layer of complexity is present.  This additional security layer is hidden to the average user.  This principle is not achieved by the 3DS system, as it requires an additional authentication mechanism.

Should I Stay or Should I Go?

Another item to consider is abandonment rate as it relates to these types of consumer authentication systems.  Any additional controls that could potentially cause a legitimate client to abandon a purchase should be avoided.   Some studies show that a logo like the 3-D Secure logo actually advertise that additional steps will need to be taken in order to complete the transaction, thus contributing to the abandonment rate.

Kount to the Rescue

Additional consumer authentication mechanisms can be achieved on the “back-end” without any direct user interaction.  Technology like Kount offers consumer fingerprinting to determine the likelihood of the consumer being a legitimate or malicious consumer.  Taking into account IP address geolocation, previous spending habits, and machine and browser fingerprinting, Kount can provide a legitimacy value to a merchant to support their decision making process on whether or not to continue with a transaction.

Tokenization is Crucial

Regardless of the consumer authentication model, security of the credit card information is independent of a merchant’s ability to validate the consumer.  For this reason, the value of tokenizing payment data-at-rest cannot be overstated. A tokenization solution offers companies the ability to purge their entire environment of sensitive information while still supporting existing business processes. Consumer authentication reduces the risk associated with the consumer, while tokenization reduces the risk of using the information.  Both are critical to mitigate the risk of secure transactions and should be part of a company’s arsenal.

TokenEx is an industry leading Tokenization solution that allows unlimited flexibility in how you access, store, and secure your sensitive data, while remaining processor agnostic. Stay tuned for our next installment on our EMV series. Follow us on Twitter and LinkedIn.