April 3, 2024
In recent years, due to the global market shift into more convenient, internet-enabled purchasing experiences, payment service providers lean in to facilitate different methods of payment from online credit card, digital wallet, to digital currency. Regardless of the birth of new payment methods, financial fraud still happens frequently from various corners of the world, coupled with the huge amount of gains for the opportunists.
When it comes to online payment, providers are more cautious to design and implement advanced solutions to combat fraud, and customer authentication is definitely one of them. In this article, we will be talking about payment authentication, its irreplaceable role and inconveniences, and what to expect of it during 2024.
Payment authentication is the process where a payment is verified to be legitimate, by requesting the customer to confirm their identity. Over the many years of growth in the payment industry, different authentication methods were introduced, aiming to facilitate a fast, convenient process, while ensuring transaction legitimacy. One of the globally recognized payment authentication protocols for online transactions is 3-D Secure.
Payment authentication and authorization are completely two different parts of the payment process. While payment authorization works to determine whether the transaction is feasible, considering mostly the payer's account balance, payment authentication concerns the identity of the person making the purchase.
Ever since e-commerce and online payment was introduced, experts have been developing different tools and protocols to ensure that transactions are conducted safely, even when the payer isn't present. One of the very first ways that were used to authenticate payment online was the Card Verification Value (CVV), to be found at the back of your credit card.
When a customer makes an order online, during payment, they will often be asked for the CVV to confirm that they are the legitimate owner of the card used for purchase, alongside other information such as card number, cardholder name, and expiration date. Over time, even though there has been much progress and changes in the general authentication process, most platforms would still request buyers to key in their CVV.
To keep up with the prevalence of online selling and the threats that come with it, in the early 2000s, the EMVCo (an organization co-founded by global card schemes) has released a security protocol named 3-D Secure. This protocol was designed to ensure payment legitimacy, while facilitating the convenient online checkout process that's been helping online businesses grow.
3-D Secure is a globally established payment security protocol, specifically adopted for online transactions where the customer is not physically present to be identified by the seller. During a 3-D Secure enabled transaction, customers must authenticate themselves to ensure the payment is made by them and nobody else.
The entire process works by the exchange of request, challenge, and response messages between four parties: the issuer, acquirer, merchant, and customer. The rationale behind adopting this particular authentication method is that it adds an extra layer of security to card-not-present payment, making it harder for fraudsters, money launderers, and financial criminals to take advantage of stolen card/ account details.
Owing to its highly practical usability and effectiveness in preventing online payment fraud, the market for 3-D Secure is growing exponentially. It is expected by Fortune Business Insight that the market will reach a stark $2.81 billion by year 2030. However, as safe as it sounds, payment authentication hasn't always received the warmest welcome from online customers.
Despite being able to protect online payment, rigorous authentication processes often lead to customer churn, which becomes a major challenge for smaller businesses. When checking out online before the birth of 3-D Secure, customers did not have to go through an additional step where they had to confirm their identity, which is often done via a second channel bound to their account at registration. This has been received by online customers, especially the older generation, as unnecessary and annoying, because only a few understand that the process is there to protect them. Furthermore, a study done by the FIDO Alliance in 2020 revealed that 58% of consumers in the US had felt frustrated and abandoned their shopping cart due to the hassles of authentication.
Another issue that continues to impact successful authentication is that the user experience might not be the same on every user device. The lack of inconsistency in delivering authentication services, if not well addressed, may hinder the industry from ruling out more intact protocols to protect transactions against fraud. Mobile devices nowadays are provided to the market by hundreds of brands with different models released every other quarter, which could be a real challenge for authentication solution providers to ensure great stability.
As the entire world shifts towards non-physical experiences like shopping online, contactless delivery, added friction sure will not be the most lucrative option for businesses, who play an important role in the payment industry. Without their participation, secure payment could be harder to achieve. Therefore, minimizing friction during the payment process is no longer an option, but rather a must to elevate the user experience while maintaining needed security thresholds.
As the online space grows in complexity, solution providers continuously try their best to attend the global market with a localized approach that is compliant to regulations. Over the years, various authentication methods and supporting systems have been introduced, however, not every one of them stood through the test of customer experience. Below are some authentication methods that we think are trending this year and a quick brief of their pros and cons.
Over the last 20 years, EMV 3-D Secure has proven itself to be a reliable protocol to authenticate customers for card-not-present transactions. The developers and regulators of this protocol have been exceptionally active in innovating and enhancing technological specifications to keep up with changes in the global market.
Recently, in the later half of 2023, the EMVCo has released a newer version (2.3) to include many more specifications to support faster and more effective communication between different parties, while including a clearer outline for issuers to support the merchant-initiated Delegated Authentication flow. In 2024 onwards, with the increasing growth reported by e-commerce platforms around the world, we are expecting more frequent specification development from the EMVCo, as well as more active adoption of 3-D Secure authentication services from the merchant side, which has never been mandated by the organization.
If you have ever purchased anything online using a credit card, chances are that you have experienced payment authentication via one-time password. Despite having been circulating in the industry for a while, this authentication method stands tall as the most preferred for financial institutions.
During the process of authentication, one-time passwords are often sent to the customer via SMS messaging or email. The password is commonly six-digit, however, four-digit alternatives are also popular despite being much more vulnerable. Since its introduction, the one-time password has been populating the global banking industry, and is unexpectedly common in Southeast Asia. The reason for this popularity is the method's practicality, while being easily adopted on any smartphone that can connect to the internet and receive SMS messages.
The downside of one-time passwords, sadly, is that they can be intercepted/ stolen by bad actors using a handful of tactics such as SIM swapping, phishing, password testing, and much more. Furthermore, one-time passwords do not fully comply with Payment Service Directive 2 (PSD2), a European regulation on e-payment for the region. Because of this, many banking pioneers have gradually moved to adopt more advanced authentication methods.
Using authenticator applications on mobile, users can quickly authenticate for their accounts during the login or transaction process. This method is perceived as easy to use, given that the user knows how to scan a QR code. However, QR code scanning for authentication is not very popular or adaptive to transactions in areas such as the Americas or Europe. In the Asia and particularly Southeast Asia region, QR code is receiving great support from financial institutions due to its ease-of-use and growing popularity among both offline-to-online and pure online transactions.
This notification type of authentication is often referred to by authentication service providers as a popular and cost-effective out-of-band (OOB) solution. What happens during the process is that a notification to authenticate will be delivered on push, in the card issuer (bank) or payment service provider's application. The user will be prompted to click into the notification, enter the application, and from there click the relative button to confirm their identity.
As previously mentioned, when compared to one-time passwords, push notifications is a more optimal solution if your business concerns about cost. In contrast with one-time passwords where you have to choose a second channel to deliver your authentication request (email or mobile phone), push notifications can utilize your own platform, which would be more familiar to your users.
In the early 2000s, the technology for token authentication assertion was introduced and assisted the method to make its way into banking services. Tokens can come in both the physical and digital form, depending on the service provider and user's preference. Almost 20 years ago, when internet-based banking began servicing the public, a physical token could be used to confirm an account owner's presence and legitimacy when making a transaction.
Fast forward to 10 years later, technology providers began developing a digital version of token to enhance usability and convenience for users. Across Asia, many financial institutions have developed and implemented tokenization technology within their mobile application to reduce friction added from application redirection. This is generally applied to banking transfers who have yet to migrate to newer methods of authentication. Until this day, both forms of token are used around the world to secure transactions despite other options growing to compete.
In the late 2010s, biometrics became popular after being introduced to smart devices. The most popular device known to have broken barriers with the fingerprint scanning component and function was the Apple iPhone 8. In the following years, security solution providers have innovated on top of that, enabling customers to be authenticated using the biometric function on their smartphone, paving the way for the strong end-user preference that we witness in the global market today.
According to a Survey conducted by Incode in 2023 on global customers with experience using digital identification services, it was revealed that 54% of the respondents found biometrics a revolutionzing to the customer experience for online transactions and payments. However, some consumers are still hesitant to embrace digital identification. Concerns surrounding this include fraud protections, privacy, and security.
Furthermore, the Survey results unveil that consumers would like to see companies in some sectors to offer more digital authentication options.
Biometrics authentication method is spanning its wing across the globe owing to the high degree of usability and platform adaptability as long as the user device is equipped with the function. Nevertheless, this method is still heavily reliant on the on-device biometric function, in which capability and performance vary device to device. This is a big challenge for biometric solutions developers, which means that we can expect more and more enhanced offerings such as liveness detection to perfect biometrics scanning in the near future.
To operate payment systems, business may come across different challenges, from multiple directions. Apart from fraudsters, payment systems face difficulties from regulators as well, namely the requirements they must comply with and the periodic audits, which could be costly. Moreover, regulations differ country to country, therefore, international or global payment system/ service providers must stay agile upon any development or changes.
Over time, current payment systems will mature and while new innovations are continuously being presented to the market. But systems are not the only things that are growing, fraudsters are also perfecting their tactics to approach and break into higher security barriers. With the prevalence of easily accessible generative AI tools, cyber criminals are now much more efficient and sophisticated with their actions.
Fraud combating solutions from HiTRUST will ensure your platform's safety, while maintaining the exceptional user experience that you plan to deliver.
A few years back, the world was introduced to Fast Identity Online (FIDO), a global protocol aiming to eliminate passwords and its relative issues such as being forgotten, stolen, and most importantly phished out by cyber criminals. FIDO was built based on the public key cryptography mechanism where a pair of keys will be generated to sign for authentication requests represented as “challenges”.
While the public key and private key offer and end-to-end encrypted back-end communication, for the customer, they can choose between using biometrics, PIN code, or any other pluggable keys designed to support FIDO authentication. However, you might wonder, what would be the difference between conventional biometrics authentication and FIDO? Let us walk you through it.
Standard device biometric authentication functions as an add-on to the current password mechanism deployed in an authentication system. First, we must understand what happens in a password-based authentication process.
Imagine you're logging in like you always do with the username and password. In this case, your password will be delivered to the online server where the service provider will be verifying if it is correct and matched with your registered credential. During this process, there pertains a risk of man-in-the-middle attacks where hackers will be intercepting communications between you and the server, stealing your password, and gaining unauthorized access to your account.
Other than that, password-based authentication is also subject to phishing attacks where the bad actor will send an email or message containing a counterfeit website link allowing them to steal your credentials. These kinds of websites can get extremely sophisticated where a fake one-time password system is designed for fraudsters to receive your password and use it on the real website to access accounts.
When adding standard device biometrics to the sequence, you will be allowing your platform users to authenticate without having to key in their passwords. This works by scanning the relative/ registered biometric (fingerprint, facial recognition, iris, etc.), granting the platform permission to send the user's password to the server for verification, instead of typing in the password. Biometric's biggest win is that it's convenient and easy to use, even for older users.
In parallel with convenience, account hijacking using passwords can also be avoided, however, it would still be susceptible to hacker's interception during credential verification between the on-device platform and public server.
With FIDO, the authentication process will differ. Using public key cryptography technology, FIDO authentication separates identification and verification into two parts. During registration, the system will generate a pair of private and public keys. The private key will be safely stored on the user's device, meanwhile, the public key stored in the public server. In the case where either or both keys are extracted from the device or public server, there is no information to be found on them that would lead them to each other.
When authentication happens, on the login user interface, users will not have to key in any passwords, and at the same time, their biometric scan will also not allow the platform to send any credential to the server. Instead, a challenge will be sent by the public server in order for the user to verify their identity by using the private key stored in their device to sign off the said challenge. The role of this process is to prevent user's credentials from being intercepted or stolen by hackers during communication with the public server.
While there are plentiful authentication methods out in the market, it's important to note that no method will be able to guarantee 100% safety, as there is a certain degree of risk in every solution. As observed, customers of online platforms are rapidly shifting to more convenient, seamless platforms, and a strong need for account and information security will always be present at the back of their mind.
A too tight security system may help you steer clear of most threats, but it likely will affect the user experience. The best that we've always advised our clients with is to find and achieve a great balance between risk and convenience, ensuring that your business goals are not impacted, while maintaining an acceptable safety barrier against fraud.
You can easily begin your fraud-free journey by doing a brief review over your system, highlighting its infrastructure, current mechanisms to fight fraud, and most importantly a fraud report on the previous year. After that, you would want to outline the desired objectives for your customer journey, including your ideas and expectations of how the user experience should be like, and from there, choose the most appropriate fraud-fighting solution.
Reach out to us today for a detailed one-on-one consultation on a fraud-free and seamless payment journey for your end-customers.