Does security and convenience go well one with another and how to increase customer's convenience in digital commerce? What's new in ACS 2.0 and how SA supports online commerce safety? Presentation will give you answers to all of those questions but also an insight about advanced security options topics.

1. CAN SECURITY AND
CONVENIENCE GO HAND IN
HAND IN E-COMMERCE?
Aljoša Lovrič-Petrič, Head of Innovation and Prototyping
Ladislav Grgac, Issuing Expert
Ljubljana, May 2017

2. 3D SECURE 2.0

3. 3D SECURE 2.0
New EMVCo 3D secure specification
● Released in October 2016
● Supported by payment schemes (Visa, MasterCard, Amex and others)
Main goals
● Increase security and decrease friction in payment flow
● Balance between security and UX
● Consistent UX on the app-based and web-based interfaces (HTML and native apps)
New non-payment use cases
● Strong authentication uses (ID&V)
RBA (Risk Based Authentication)
● Evaluates also and customer‘s transaction and account history on the merchant side
● High risk authentications – customers needs to authenticate
● Low risk authentications – no additional input required (frictionless)
3
CONFIDENTIAL

4. NEW TERMINOLOGY
v1.0 v2.0
Merchant 3DS requestor
Merchant plug-in (MPI) 3DS server
n/a 3DS requestor environment
Merchant integrator 3DS integrator
n/a 3DS requestor app
4
CONFIDENTIAL

5. PROCESS FLOW
Directory Server
Access Control
Server
$
Issuer
$
Acquirer
Payment
Network
Challenge
Request / Response
3DS Requestor /3DS Server APIs
Payment
Request
Authorization
Message
Authorization
Message
Result
Request /
Response
Authentication
Request /
Response
Result
Request /
Response
Authentication
Request /
Response
3DS Requestor Environment
Merchant 3DS Server3DS customer
5
CONFIDENTIAL

6. ACS 2.0
• First possible issuer rollouts in Q2 2018
(MasterCard, Visa and Amex)
• 3D Secure v1.0 to be supported until
schemes decision to sunset it
• Both versions to be maintained in
parallel due to backward
incompatibility
• Authentication methods supported on both
versions:
• SMS OTP
• mToken as standalone app or SDK for
integration with another app (e.g.
Mobile banking)
• CAP/DPA (on ACS 1.0)
• Different data models:
• ACS v1.0 – 10 data elements in the
process
• ACS v2.0 – 60+ elements including
purchase behavior from e-shop
• Different data format (from XML to Json)
• Introduced Risk Based Authentication (Issuer
strategy dependent)
• Pushed by Schemes (Visa proposes
that 80% of transactions shall be
approved by RBA)
• Enhanced user experience – light box vs.
redirection
Overview Roadmap
6
CONFIDENTIAL

7. RISK BASED AUTHENTICATION
Source: Visa Inc.
7
CONFIDENTIAL

8. STRONG
AUTHENTICATION

9. Strong authentication is a procedure based on the use of two
or more of the following elements:
• Something only the user knows (e.g. static password, code,
PIN…)
• Something only the user have (e.g. mobile device, smart card,
token…)
• Something the user is (e.g. biometric characteristic, fingerprint)
Why strong authentication?
• The interests of all participants in an authentication process
(users, banks, processors, regulators) to ensure the highest level
of security of access and use of sensitive data.
• Trends in cloud services and enabling secure access to it
• European Banking Authority (EBA) Guidelines on the security of
internet payments ECB Recommendations for the security of
internet payments…
STRONG AUTHENTICATION
The elements selected must be
mutually independent, i.e. the breach
of one does not compromise the
other(s).
At least one of the elements should
be non-reusable, non-replicable and
not capable of being stolen via
Internet.
The SA procedure should be designed
in such a way as to protect the
confidentiality of the authentication
data.
9
CONFIDENTIAL

10. HOW IT WORKS…
During checkout process a transaction using
MasterCard SecureCode or Verified by Visa will
initiate a redirection to the website of the card issuing
bank to authenticate the customer and authorize the
transaction.
Issuer could use any kind of supported authentication
method.
10
CONFIDENTIAL

11. SOLUTIONS DESCRIPTION
CARD READER
• Hardware based solution
• Requires EMV smart
card with preloaded CAP
or DPA application
• Supports several
authentication methods:
• User Identification
• Challenge/Respon
se
• Transaction Data
Signature
MOBILE TOKEN
• Software based solution
requiring mobile device
• Uses a cryptographic key
for user authentication
• Provides a high level of
security protection including
protection from a Man-in-
the-middle attack
• Use of standard
authentication algorithms
(Time based OTP,
Challenge / Response, QR
code scan)
SMS OTP
• Generated and verified
via HSM
• OTPs not stored in
database
• Service integration with
SMS gateway (bank,
PSP, etc.)
11
CONFIDENTIAL

12. AUTHENTICATION WORKFLOWS
Card reader
OTP SMS
mToken
12
CONFIDENTIAL

13. TOKENIZATION

14. TOKENIZATION
• Process of substituting a sensitive data element with a non-sensitive equivalent that has no exploitable value
• Significantly increases security and reduces fraud, especially in non-face to face transactions like e-commerce
and MO/TO
• Applicable for payment products enrolled into mobile wallet
• Provided by certified Token Service Provider
• Payment schemes
– MasterCard Digital Enablement Service
– Visa Token Service
• 3rd party providers (PSP, Issuers, etc.)
– following EMVCo technical specification
– certified by respective payment schemes
• PAN tokens are not derived from payment card BIN range
• Under token BINs or BIN subranges no physical cards are issued
14
CONFIDENTIAL

15. ► Incurs additional costs as tokenization process makes
on-us authorization unrecognizable so all
authorizations go through payment scheme’s network
► Currently the only available solution for Visa products
► Avoiding additional costs charged by Payment schemes
by keeping on-us authorizations
► Decreasing future risks if payment scheme introduces
tokenization specific costs
TSP OPTIONS
3PP EMVCo token service VTS / MDES
Bank host
PSP host
Customer
De-tokenization
Token vault PS host
Payment
network
POSPAN token cardMobile wallet
Real PAN card
PSP host
Customer
Bank host
Token vaultDe-tokenization
POSMobile wallet PAN token card
Real PAN card
15
CONFIDENTIAL

16. VIRTUAL
E-COMM CARDS

17. VIRTUAL E-COMMERCE CARD
Product based service in mobile banking /
wallet offering cardholders fast, convenient and
secure online shopping experience.
• Generated via mobile wallet / Internet banking
• Enabled only for e-commerce purchase
• No renewal policy
• Uses tokenized PANs from separate BIN range
• Only one virtual card of the same type allowed
per product
• May be manually cancelled by the cardholder
or automatically invalidated either by reaching
the spending limit or maximum allowed number
of transactions or by expiry of its validity period
Single use Multi use
Spending limit
Trx. count limit
Limited validity
Card types
Management
Cardholder setup spending limit (for both card types) and
number of transactions (for multiple use virtual cards only)
within maximum allowed values set by the issuer
1
17
CONFIDENTIAL

18. GEO-CONTROL

19. GEO-CONTROL
• Profile without any restrictions
• Auto-activated if transaction triggers fraud
alert
• Overrides other profiles
• Cannot be selected by the cardholder
Limited
• May enabled per entire BIN or per
individual PAN
• Duration may be setup as temporary (date-
based)
• Restriction parameters defined by the
Issuer:
• Country
• Transaction type
• MCC
• Rejected transaction reason codes
exposed for complaint management
Manual
Profile switching
Auto
• By customer (via wallet app
or m-banking channels)
• By call center agent
• Upon expiration of date-
based restrictions
• By fraud monitoring system
Switching to fraud specific profile creates an
SMS to a cardholder
• SMS remains in pending status until
event analysis is completed
• Fraud specialist can trigger manual send
of pending SMS if necessary
Profile based service designed to enable customers to
effectively manage risks associated with card transactions
via mobile channel
Worldwide
Fraud
19
CONFIDENTIAL

20. MASTERPASS

21. ACCEPTANCE
• At online merchants, wherever
Masterpass button is displayed
• Masterpass accepts credit, debit,
or prepaid cards from MasterCard,
Maestro, American Express, Diners
Club, Discover, VISA, China
UnionPay and Private Label cards
• All currencies are supported
AVAILABILITY
• Currently available in 60 countries
globally (28 in Europe)
• Works on the mobile and web
browsers
DIGITAL WALLET SERVICE
• Makes online shopping safe and
secure, easy, fast and convenient
• It stores customers’ payment cards
details, including shipping details
and loyalty cards
• No need to enter long card details
every time customers check out
DESCRIPTION & BENEFITS
CONVENIENCE
works with many
OS’es (desktop
and mobile)
SIMPLICITY
eliminates need to
enter payment and
shipping information
for every purchase
TRUST
critical card details
are not stored by
the merchant
SPEED
fast, one
click checkout
SECURITY
card details are
stored in the bank
(or with PSP)
21
CONFIDENTIAL

22. HIGH LEVEL VIEW
22
CONFIDENTIAL

23. CHECKOUT OPTIONS
StandardExpressConnected
23
CONFIDENTIAL

24. www.mercury-processing.com
+386 5 666 1312
aljosa.lovric-petric@mercury-processing.com
Aljoša Lovrič-Petrič
Head of Innovation and Prototyping
IT and Innovation Division
CONTACT
Ladislav Grgac
Issuing Expert
Business Management Division
+385 1 6456 504
www.mercury-processing.com
ladislav.grgac@marcury-processing.com
24

25. THANK YOU!
Any questions?