E-commerce and e-payment: the new challenge of strong authentication
The way we make payments and transactions has changed a lot. From barter to the invention of money, the ways of doing business have multiplied over time. In 2020, the challenge for payment players around the world is to regulate and secure new types of digital payments. At a time when shopping online has become common practice, ensuring that all transactions made through this channel are secure is paramount.
The evolution of online payment security
To this end, the European Commission and the European Banking Authority (EBA) implemented the first Payment Services Directive in 2009. The flagship measure of this first document concerned the security of e-commerce transactions. Once his online purchase has been confirmed, the user is redirected to a new web page where he will have to enter the confirmation code sent to him by SMS by his bank. This practice was the first barrier put in place to counter online fraud.
Still active today, it is unfortunately no longer sufficient to cover the enormous diversity of payment methods available online. The opening up of financial flows with Open Banking has enabled many new players to offer their payment solutions. Where the traditional banking sector was slow to change its practices, crypto-currency, neo-banking and other novelties have appeared within a short period of a few years.
The rapid proliferation of these new solutions has led the European Commission to propose a second version of the Payment Services Directive (PSD2). Validated in 2015 and progressively applied since 2018, it continues to adapt by observing market practices. The next point of attention that the PSD2 will insist on is the imperative (and no longer only recommended) side of strong authentication for online purchases. Historically, two important security measures for online and remote shopping have been implemented, in that order:
- In the early 2000s, the visual cryptogram was introduced to act as the first barrier against remote payment fraud. Composed of three digits, it appears on the back of payment cards and is requested from the cardholder to validate this type of purchase.
- 3D Secure will then make its appearance at the end of the 2000s to consolidate the first foundations put in place in terms of remote payment security. This two-factor authentication consists of sending a confirmation code to the buyer via a different channel (often by SMS). The objective remains to ensure that the person confirming the purchase is indeed the one who made it.
From January 1, 2021, a third measure was officially introduced: two-factor strong authentication. The application of this strong authentication will gradually be implemented to eventually become the standard for online purchases.
New secure means of authentication
How to define and apply a “strong” authentication?
Payment actors are looking into this issue in order to set up secure and relevant means to authenticate the buyer in a certain way. Technological advances, as in many other fields, allow the emergence of innovations and new methods related to payment.
Among these methods, one seems to be gaining increasing unanimity: biometrics. Our biometric identity can be defined by all of the biological data that make up us, from our fingerprint to the iris of our eyes. This data is obviously more reliable than a number, a code or a cryptogram, as your biometric identity is unique and difficult to falsify.
Strong authentication will therefore consist of a two-factor validation. When you make online purchases, you will now be asked for two of the following three elements:
- Sensitive information that only you are supposed to know. This includes passwords, secret questions and other security codes.
- Verification via a support in your possession: your personal cell phone, your credit card…
- A biometric data, collected for example via a scan of the fingerprint on a banking application. Later on, iris, voice recognition and other identifications will appear.
The challenge for e-merchants and payment service providers will be to make this authentication as fast and easy as possible. Since obstacles are already present when shopping online, such as registration and payment forms, strong authentication will have to be avoided to slow down the process too much. Many online transactions are interrupted by Internet users because of these slowing factors. And the threat of massive shopping cart abandonment has already been raised by several players when this new measure was implemented.
Another point to follow regarding the implementation of this strong authentication will be the access to the technology. In order to perform a biometric verification, the cardholder will need to have a smartphone, then download his or her banking application and learn how to use it. For the new generations, these steps will be quite natural. For previous generations, a little less. A part of the population will surely be reluctant to change its consumption habits and will have to be accompanied in this change.
It will therefore be necessary to ensure that these new security measures are accessible and applicable to all. In any case, strong authentication is going to become the security standard for online payments, and we will all have to adapt to it.