EMV 3-D Secure 2.0 Beyond Payments
June 6, 2017 - Non-Payment use cases in EMV 3D Secure 2.0.
As online shopping continues to expand in traditional browser-based web shops and into new mobile and app-based platforms, card not present (CNP) fraud grows in both scale and expense to payments industry stakeholders. In response to both innovation and increasing fraud, EMVCo has released the specification for the latest industry-wide authentication protocol, EMV 3-D Secure 2.0 (3DS). Regular visitors to the UL-TS blog will note that this is not our first mention of EMV 3-D Secure 2.0, and newcomers are invited to visit our overview of the changes and advantages the new release offers.
The case for 3-D Secure is quite obvious for the payments ecosystem. The authentication components fit nicely within their respective acquiring, issuing, or interoperability domains and are comfortably analogous to their authorization counterparts.
However, the new specification also has provisions for what it calls Non-Payment Authentication, or NPA, messages, where no payment takes place. This category of 3DS messaging can be used to verify identity within and outside the payment ecosystem. In this post, we will examine its application in securing and improving the user experience for mobile wallet provisioning and providing secure authentication to non-payment related platforms.
Firstly, mobile wallet provisioning has been widely identified as a source of potential frustration for customers if too complicated and an opportunity for fraudsters if too simple. When a customer wants to add a payment card to his or her mobile wallet (Apple Pay, Samsung Pay, Android Pay, etc.), he or she must go through an onboarding process, which tends to vary between issuers, some not requiring any additional authentication and others mandating a round of questioning over the phone, with many still in between. The majority of these options can be supplemented or enhanced with EMV 3DS 2.0, which supports various one-time-password (OTP) methods, knowledge-based authentication (KBA) similar to the issuer currently in use over the phone, and new hardware-based methods like biometrics, all with a focus on balancing security with cardholder convenience. By taking advantage of both strong authentication to confirm cardholder identity and the user experience improvements of EMV 3DS 2.0, issuers can remedy the security and onboarding friction woes in the mobile wallet provisioning and activation process.
Also, many other online services outside payments rely on trusted parties for user authentication. Through the use of an access channel provided by a trusted party, agencies such as government offices and insurers can protect the information they secure as well as the privacy of the customers accessing the website. This is known as federated authentication. In this context, 3DS provides a way to securely authenticate a user via the trusted party in order for the customer to gain access to the web-based service. In some regions this type of functionality is already available for government agencies through direct agreements with national banks. If a user wants to access specific government information, the bank, as a trusted party, authenticates the user using the 3DS ecosystem to allow the user to enter the site. This system allows secure management of user access and user privacy while providing the smooth user experience of EMV 3DS 2.0. Additionally, the system may operate across borders by leveraging the international character of the involved payment schemes.
In closing, EMV 3DS 2.0 is quite useful beyond authenticating cardholders during checkout. Through its non-payment authentication provisions, EMV 3DS 2.0 enables mobile wallet providers and issuers to take advantage of innovative authentication methods to streamline a secure provisioning and activation process for cardholders. 3DS can also be used to facilitate securely authenticated access via a trusted party to websites containing sensitive information like government agencies and insurers.
Join UL's EMV 3-D Secure 2.0 Masterclass, for a deep-dive into the newly released specifications. Prepare yourself for the changes, the impacts and take advantage of the new features. Click the link for course dates and for further information.