Other parts of this series:
In the previous blog in this series, we looked at different operating models used in fighting the problem of Card Not Present (CNP) fraud. No matter what operating model is used, however, organizations face difficult challenges in the area of authentication, which can be problematic in the CNP environment due to the scale of card data compromised.
Using the traditional credential-based approach can erode the customer experience — for example where additional passwords are required — and once credentials or protocols are compromised, there is no resilience or additional line of defence. In addition, merchants have a high proportion of transactions with unknown or transient customers.
Historically, issuers received only a limited data set from merchants, and therefore the most common method of authentication is based on card number, valid/expiry date, name, address, email, phone number and security number (the 3-digit code printed on the card). Market leaders are moving to a blended approach, combining authentication with contextual behavioral data to identify fraud. RSA
Security LLC has cited dynamic and frictionless solutions that can automatically identify individuals based on contextual clues and behavioral access patterns as a top authentication trend.1
The recent release of the risk-based versions of the EMV® 3D Secure 2.0 (3DS 2.0) from EMVCo, LLC, supports this blended approach with enhanced data transfer between merchants and issuers. Additional transaction attributes (such as the device type, shipping address, or the mobile number) allow merchants and issuers to authenticate customers more accurately in real time. Issuers also gain the option to initiate “step-up” authentication in real time. The step-up authentication can be in the form of one-time use passwords, biometrics or knowledge-based. Roll out of the 3DS 2.0 protocol for online payment authentication commenced in 2017 and issuers are beginning to refine how they use the enhanced data, with solutions ranging from rules such as comparison to known fraudsters (resulting in blacklists of devices and/or addresses) to more sophisticated algorithms which incorporate merchant risks and near-real time fraud outcomes (often using machine learning). The use of sophisticated “step-up” authentication such as biometrics is not broadly deployed yet, but the payments market is moving in this direction and expectations are that biometrics will become the standard in time.
Many merchants rely on the issuer for payment authentication and consortium vendor solutions for fraud detection and chargebacks. When the customer is known to the merchant they tend to rely on credentials (typically a customer-defined password) and some offer instant check-out. We see leading merchants adopting the blended approach, using browsing history, behavior or device information as part of the authentication. This approach can create a differentiating seamless customer experience especially when informed by a good understanding of abandonment rates.
Text-to-speech technologies are improving at a rapid pace and consumers are increasingly embracing the convenience of voice search. According to a 2016 smartphone user study, nearly 50% of surveyed consumers stated they were using voice assistants more frequently than they did just 12 months ago.2 That same year, 6.5 million voice-first devices were shipped, up from 1.7 units in 2015, and exploding to 24.5 million shipments in 2017, for a total of 33 million devices in circulation.3 In the UK, a study suggests that by 2018, 40% of households will own a smart speaker, an increase of 9% over the previous year.4
This migration to voice search-and-shop creates the opportunity to add an additional authentication data-set which is seamless to the customer. Many issuers have already migrated to voice biometrics within their service centers using it to authenticate customers and to identify fraudsters using their voice biometrics.
In the next blog in this series, we will look at how new technologies are changing the way merchants and card issuers detect fraud.
1. “Top 5 Authentication Trends in 2017,” RSA Security LLC, September 19, 2017. Access at: https://www.rsa.com/en-us/blog/2017-09/top-5-authentication-trends-in-2017
2. “Adoption of Intelligent Voice Assistants Hits Tipping Point – MindMeld Releases Q1 2016 Survey Results Citing Record-Breaking Adoption and Usage,” Cision PR Newswire, March 2, 2016. Access at: https://www.prnewswire.com/news-releases/adoption-of-intelligent-voice-assistants-hits-tipping-point-300229279.html
3. “The 2017 Voice Report – Executive Summary,” Voice Labs Inc., 2017. Access at: https://s3-us-west-1.amazonaws.com/voicelabs/report/vl-voice-report-exec-summary_final.pdf
4. “9 Percent of UK Households Own Amazon Echo Today, 40 percent in 2018,” Voicebot.ai, June 5, 2017. Access at: https://voicebot.ai/2017/06/05/9-percent-uk-households-amazon-echo-today-40-percent-2018/