Strong authentication: focus on retailers
Strong authentication is a principle put forward by the Second Payment Services Directive (PSD2), which aims to strengthen payment security, particularly in the context of e-commerce. It has evolved and taken several forms since its creation, as we previously discussed. The 3D Secure was the key element, but the new forms of payment have pushed the dedicated authorities to think about even more secure means.
Source : OGAM
Application perspectives for merchants
Strong authentication can take many forms, as long as the components of strong authentication are met. Two of the following three criteria must be met for authentication to be considered “strong”:
- Confidential information known only to the cardholder (password, secret code, etc.)
- The use of a personal device (credit card, smartphone…)
- Verification of a personal characteristic by biometrics (fingerprint, facial/voice recognition…)
This procedure is intended to replace 3D Secure, which, although it provides protection for payments, is no longer sufficient today. Biometrics is becoming more and more important in the world of payment, and is gradually becoming the standard for securing payments, both online and in stores.
In the physical world, biometrics is making its appearance through the new biometric bank cards that are beginning to be made available to customers of banks offering them. This biometric card is similar in many ways to a classic card, except that it includes a fingerprint sensor. This sensor will in principle replace your secret code: when making a purchase in a shop, you can place your biometric card in front of the merchant’s Eftpos terminal by holding your thumb over the sensor. This manipulation will validate the payment and the authentication will be considered as strong by the combination of at least two of the factors mentioned above (personal device and verification of a specific characteristic).
The distribution of biometric bank cards is still low in France and in Europe, so we will have to wait for concrete examples of applications to gauge consumer interest in this new type of card. But where strong authentication can have an even greater impact is in the world of e-commerce, which has been looking for real security since its advent.
Secure online payments
The real challenge of strong authentication is to address the problems, especially security problems, related to online payments.
Even if many ways to pay online exist nowadays, a large majority of these payments are made by credit card. As previously mentioned, 3D Secure was the only way to prevent fraud during online purchases. Even if it has generally fulfilled its role well, the PSD2 requires a more secure redesign of this system.
This is where strong authentication comes in. When paying for your online purchase, the merchant site will ask you for your usual banking information (cryptogram, card number, etc.). Instead of using 3D Secure, the customer will be sent a strong authentication request by his bank. Generally, this request directs you to your dedicated mobile banking application. The customer will have to identify himself, via a secret code or via biometry, and will confirm his authentication.
This method will eventually become the norm and replace older measures such as 3D Secure. Mobile banking applications are evolving and updating, integrating more and more technologies. Once the technological barrier is passed, especially concerning the equipment of smartphones with biometric sensors, there is no doubt that the vast majority of payment authentications will be done on your banking application and via a biometric element.
It should be noted, however, that not all online payments will require strong authentication to be validated:
- Payments under 30€ can be confirmed without strong authentication
- Some recurring payments (subscriptions) will not require you to re-authenticate each month
- A payment at a merchant you have designated as a “trusted payee” will not require strong authentication
We are indeed witnessing a change in the payment security procedure, which will probably involve the biometric elements mentioned above. Even if not all smartphones are equipped with fingerprint or even facial recognition technology, biometrics remains the most secure option today. Stealing a credit card is one thing, falsifying the biometric data of the cardholder is another. Since biometrics are based on individual elements, identification errors are very rare. Players such as Idemia offer innovative concepts of biometric devices and terminals, allowing for multiple applications of biometrics in authentication.
Remember that strong authentication has been officially applied since May 15, 2021, after having been gradually tested since October 1, 2020, originally for transactions over €2,000. Today, all online transactions above €30 are therefore subject to it.