Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to "Client authentication in e-commerce solutions" by Jānis Kūliņš from Tieto Latvia at Authentication and Authorisation focused 53rd DevClub.lv
Similar to "Client authentication in e-commerce solutions" by Jānis Kūliņš from Tieto Latvia at Authentication and Authorisation focused 53rd DevClub.lv (20)
More from DevClub_lv
More from DevClub_lv (20)
Recently uploaded
Recently uploaded (20)
"Client authentication in e-commerce solutions" by Jānis Kūliņš from Tieto Latvia at Authentication and Authorisation focused 53rd DevClub.lv
- 1. Client authentication in e- commerce solutions What’s old, what’s new? Janis Kulinš Senior Solution Consultant Tieto, ZSP Industry Solutions / ZSPFP Transaction Banking janis.kulins@tieto.com
- 3. Content • CNP(card not present) fraud situation; • 3D technology in general; • 3DS v2 protocol • Authentication methods • New rules 3
- 4. © Tieto Corporation CNP Fraud trends and stats 4 Source: Aite Group , Card-Not-Present Fraud in a Post-EMV Environment: Combating the Fraud Spike June 2014 • U.S. CNP Credit Card Fraud Losses, 2011 to e2018 (US$ billions)
- 5. © Tieto Corporation What is 3D? 5
- 6. © Tieto Corporation What is 3D? 6 • 3-D Secure is an XML-based protocol designed to be an additional security layer for online credit and debit card transactions • 3 domain architecture • Acquirer (merchant, terminal owner) • Issuer (card issuer) • Interoperability domain (something in between)
- 7. © Tieto Corporation How it works? 7
- 8. © Tieto Corporation How it works? 8
- 9. © Tieto Corporation How it really works? 9
- 10. © Tieto Corporation 3D Secure v1.* 10 • 3D v1 already 16 year old • No solution for different platforms (non browser) • Need extra data for risk based decisions • Security issues • No tokenisation support • No 3D for local payment schemes • Conversion rate drop!
- 11. © Tieto Corporation 3D Secure v2.0 • The 3-D Secure authentication protocol supports both: • Payment • Non-Payment Authentication—Identity verification (!) • The 3-D Secure authentication protocol can be both: • App-based • Browser-based 11
- 12. © Tieto Corporation 3D Secure v2.0 • Invisible and tightly integrated • no redirects*, no popups • Intelligent use of rich card data • use available data to balancing risk/revenue • Focus on behavioural patterns • Biometrics is good, but BBA is better (?) 12
- 13. © Tieto Corporation 3D Secure v2.0 13 • Core specificaiton • SDK specification • Security requirements – IMPORTANT!
- 14. © Tieto Corporation 3D Secure v2.0 scheme 14
- 15. © Tieto Corporation 3D Secure v2.0. SDK 15 • Auth data • Device info (shall be collected)
- 16. © Tieto Corporation 3D Secure v2.0 challenge types? • Risk-based Authentication (RBA), with one of the following approved challenge methods: – One-time Password (via SMS or mobile app) – Biometric Fingerprint Match (a Mastercard-qualified solution) – Biometric Facial Recognition (a Mastercard-qualified solution) • Biometric Fingerprint Match (a Mastercard-qualified solution) • Biometric Facial Recognition (a Mastercard-qualified solution) • Biometric Voice Recognition (when combined with device data and another factor such as dynamic code) • SMS with one-time use password • Interactive Cards with PIN Pads • Push Notification requesting Transaction Approval from Cardholder (out of band method) • Handheld Token Generators, such as key fobs (when method is shared with online banking) • Issuer Portal Verification Method, which requires the cardholder to log into the issuer site for verification • Other solutions qualified within the Mastercard Qualified Authentication Technologies program • Risk-based authentication, without a challenge method. 16
- 17. © Tieto Corporation 3D Secure v.2.0 challenge types 17 http://www.europeanpaymentscouncil.eu/documents/EPC_Infographic_PSD2_March-2017_V2.pdf • Common practice • Formal int. policy • PSD2 • Local policy • FTKT • Velocity/Behavior patterns • Calculated risk?
- 18. © Tieto Corporation Trends? • «Invisible» payments • Data consolidation (for processors) • RBA • Uber/Starbucks model • Data tokenization • HCE (* on file) • PSD2 • Mobile payments • New payment channels (WeChat Pay, Trustly) • Fintechgration* 18
Editor's Notes
- Estimated CNP fraud rates after EMV adoption (just for trends)…WHAT TO DO, How to Cobat this?
- No information..different Names. DROŠIE PIRKUMI INTERNETĀ (SWED) 3d secure (SEB) E-drošība (Nordea)
- First developed by Visa..tha adp[ted bu other schemes. Most recent 2010 Nov Amex safekey. Differences mainli in way how UCAF is generated: MC – AAV, Visa CAVV, Amex AeVV Core specfication….Visa document
- Problems. Protocol ownership Cannot share infrastructure with local schemes or not payment products
- V 1.0 16 years old Frustrated with password, merchants want less friction during payment; For smart device
- App-based—Authentication during a transaction on a Consumer Device that originates from an App provided by a registered agent 3DS Requestor (merchant, digital wallet, et al). For example, an e-commerce transaction originating during a check-out process within a merchant’s app. Browser-based—Authentication during a transaction on a Consumer device that originates from a website utilising a browser. For example, an e-commerce transaction originating during a check-out process within a website on a Consumer Device. •Browser experience for web and mobile/smart device •User interface and experience •Non-browser experience, such as in application •Tokenization, ID&V, and non-payment user authentication •The option to provide additional data to enhance user authentication and ease risk based authentication decisions •Security vulnerabilities in some message flows (such as redirect/man in the middle) •Enhanced flows to reduced friction •Extensions to allow future flexibility and scheme specific needs •Digital wallet integration of EMV 3DS 2.0
- Invisible and tightly integrated – no pop-ups and no extra steps. Shopping card abandonment rates and lost conversions under 1.0 make this clear. Intelligent use of rich card data – it should be used to assess actual risk, not be more information the user needs to manually validate at the time of transaction. Focus on behavioral – measure the things that are really impossible to fake. Biometric is a good start, but behavioral-based authentication is better.
- SEC req is very big deal. Should come form schemes itself.
- Requestor (sort of MPI) 3DS Client – 3DS APP SDK (app based) Browser based - (integrates with Requestor site); 3DS server – interface only ( collects data, makes SSL, validate messages etc) 3DS Integrator (3DS server + 3DS Client)! Sort of full MPI which may porvid SDK for mercahnts! Frictionless flow (AReq, ARes) -
- 30 eur limit, on us trn Biometrics…any examples??? Wife? With PSD2 they’re introducing Account Information Service Provider or AISP’s, which will allo With PSD2, the Directive will allow retailers to ‘ask’ consumers for permission to use your bank details. Once you give permission, the retailer will receive the payment directly from your bank – no intermediaries The direct connection between retailers and banks will be enabled using Application Programming Interface or APIs for short The use of API’s is exciting because it enables companies (innovative companies) to connect to financial institutions directl For those of you that maybe multi-banked – i.e. bank accounts with multiple banks – we currently have to access each bank website separatelyWith PSD2 they’re introducing Account Information Service Provider or AISP’s, which will allow you to view all of your multi-bank details in 1 portal.
- 37% - 50% - 2017 market of payments! Another interesting area to watch is the growth of European P2P payment apps such as Bunq, MobilePay, and Swish, which may follow the route of WeChat Pay and evolve into B2C mobile wallets. Frictionless payments – amazon go (real life) Account Servicing Payment Service Provider (ASPSP)These are the banks that hold customer accounts, and are required by PSD2 to allow access to those accounts to TPPs through an open application program interface (API).Any EU Bank Payment Initiation Service Provider (PISP)With approval from the customer (often referred to as the Payment Service User, or PSU), PISPs have the ability to initiate payments on the customer’s behalf by accessing the customer’s accounts through an ASPSP’s open API. Typically, PISPs focus on e-commerce transactions, linking the merchant to a customer’s account.Sofort, Trustly, iDEALAccount Information Service Provider (AISP)AISPs act as aggregators of a consenting customer’s financial information across all accounts and financial services institutions, enabling the display of that aggregated information on some kind of customer-facing dashboard.Mint, Yodlee, Money Dashboard
- http://ismycreditacardstolen.com real source of danger?