webinar authentication in m-commerce: balancing risk and ... · latin america 2% asia ... for...
TRANSCRIPT
Webinar
Authentication in M-commerce: Balancing
Risk and Experience
Roney Castro, UL
Ron van Wezel, Aite Group
12 December | 2017
©2017 Aite Group LLC.Page 7
Agenda
• Approach and methodology
• Balancing fraud and friction: highlights from the report
• Key take-aways
©2017 Aite Group LLC.Page 8
Expert group on strong customer authentication in m-commerce
CO-CHAIRS: Roney Castro (UL),Jacob Øst Hansen (Nordea)Ron van Wezel (Aite Group)
MEMBERS:Arman Aygen (UL) David Benini (Aware) Jan Bosveld (Promon)Frank Bullen (Inside Secure) Julie Conroy (Aite Group) Sue Cullip (Infobip) Peter Fjelbye (NETS)Julien Gabillet (Worldline)Eduardo Galvao (SIBS)Douglas Kinloch (Inside Secure)Injam Khokar (Nordea)Thor-Ragnar Klevstuen (Sparebank 1)
Jean-Paul Koelbl (Swisscard)Elvino Krizmanic (Infobip)Francis Limousy (UL)Felipe Lopez (Tecnocom)Andreas Havsberg (NETS) Pedro Martinez (Gemalto)Neil Michie (Inside Secure)Nisha Patni (HCE Service)Chandra Patni (HCE Service)Ali Raza (UL)Ahmad Saif (Dejamobile)Marijke de Soete (Security4Biz)Coman Shanley (Bank of Ireland)
MOBEY FORUM:Maikki FriskElina MattilaShalini Sharma
©2017 Aite Group LLC.Page 9
Methodology
• Research executed by Aite Group in cooperation with the Mobey Forum Expert Group.
• Basis of the research was an online survey.
• The survey was sent to three target audiences: Mobey Forum contacts, Aite Group contacts, and selected merchants.
• Between June and September, we received 76 responses, which is a very good result.
©2017 Aite Group LLC.Page 10
May
First F2F meeting Preparation of online survey
November 7 Presentation of final report
Online survey
Expert Group calls
Second F2F meeting Presentation of interim survey results
Report writingExpert Group inputs
It took us 6 months from start to delivery
June July August September October November
May 17 start of work
©2017 Aite Group LLC.Page 11
Agenda
• Approach and methodology
• Balancing fraud and friction: highlights from the report
• Key take-aways
©2017 Aite Group LLC.Page 12
Who were the respondents?
• 80% of respondents came from FIs and tech vendors. Very low response from merchants unfortunately.
• 69% of FIs had a European focus, while 66% of tech vendor respondents indicated that they work globally. Still, the responses from both groups were very similar.
• About half of the respondents said they work in a product or marketing role.
Technology vendor42%
Bank or financial institution
38%
Payment processor9%
Merchant2%
8%
Q. How would you best describe your company's business? (N=76)
Global37%
Europe45%
North America12%
Latin America2%
Asia Pacific…
Q. What is the primary geographic market that you, yourself, cover? (N=76)
Product
management/development or marketing
53%
General
management13%
Client-faceing
12%
Technology
9%
Consulting/research
5%
Other
8%
Q. What is your role in your company? (N=76)
©2017 Aite Group LLC.Page 13
Market trends
Market trends Potential impact on the market
FIs and merchants need to bolster their fraud and authentication controls, or else absorb rising fraud losses.
FIs and merchants are on a quest to remove unnecessary friction from the user experience, with a priority on m-Commerce.
FIs and merchants have to manage user experience and fraud prevention for multiple payment methods
New legislation such as PSD2 will set restrictions to the authentication methods that FIs can use.
Rising CNP fraud
Focus on the user experience
Increasing complexity of the payment space
Changing regulation
©2017 Aite Group LLC.Page 14
CNP fraud: Rising around the globe
$2.1$2.6
$2.8$2.8 $3.2
$3.3
$4.0
$4.9
$5.5$5.9
$198 $227 $263 $304$350
$404$473
$562$664
$770
2011 2012 2013 2014 2015 2016 e2017 e2018 e2019 e2020
U.S. CNP Fraud and Digital Commerce Growth 2011 to e2020 (US$ Billions)
CNP fraud Digital commerce
Source: Aite Group, 2017
$140
$176
$260 $269
$299
$360
$537
£266
£227 £221£246
£301
£332
£398
$91
$131
$198$183
$210
$300
$363
2009 2010 2011 2012 2013 2014 2015
Changes in CNP Credit Card Fraud Losses, 2009 to 2015 (In millions of Brittish pounds, AU$, and CA$)
Canada
U.K.
Australia
Source: Financial Fraud Action UK, Australian Payments Clearing
Association, Canadian Bankers Association
©2017 Aite Group LLC.Page 15
Balancing fraud prevention against friction…
Critical—the combat
against such fraud relies on SCA
43%
Very important—it is required
for most applications21%
Important, but must work in
conjunction with other fraud prevention procedures
35%
Not so important—it is only
required for specific applications
1%
Q. How important is SCA to prevent fraud in m-commerce payments? (n=72)
91%
68%
67%
57%
54%
9%
30%
30%
41%
46%
Minimize the amount of frictionintroduced in the user experience
Improve security and customer trust
Comply with regulatory and/or industryrequirements
Reduce fraud exposure due to theliability shift
Reduce operational costs
Q. How important are the following criteria for merchants when they evaluate
their approach to securing payment transactions? (n=69)
Very important Somewhat important Not very important/not at all important
Almost all respondents recognize the importance of SCA, with nearly half voting for “critical” importance…
… at the same time, reducing friction in the user experience is considered very important by most
©2017 Aite Group LLC.Page 16
There are many techniques available for fraud detection and customer authentication
©2017 Aite Group LLC.Page 17
The quest: optimizing the balance between risk and friction
Seamless experience
Deviceidentity
KBA
Fingerprintbiometric
SMS OTP
Identity dataverification
Token
2-D facial recognition
3-D facial recognition
Mobileapp
push
Devicemalware
Identity documentverification
Eye vein biometric
High
Medium
Low
Behavior patterns
Behavioral biometrics
Level of security
Username password
High friction
Irisbiometric
©2017 Aite Group LLC.Page 18
How to best manage risk?
• Real-time transaction monitoring is indicated as the most important risk management tool for securing m-commerce payments
82%
64%
62%
55%
42%
17%
33%
38%
44%
52% 6%
Real-time transaction monitoring
Customer risk screening duringonboarding
Multifactor authentication
Securing/”hardening” the software
on the mobile device
Consumer education
Q. How important are the following risk management tools for securing m-
commerce payments? (n=66)
Very important Somewhat important Not very important/not at all important
©2017 Aite Group LLC.Page 19
Effectiveness of risk-based authentication (RBA)
• 31 out of 76 respondents indicate that they have implemented RBA.
• Of those, about 42% stated that RBA was sufficient to approve 70% or more of m-commerce payment without step-up required
Less than 20%
26%
20% to 49%
22%
50% to 69%
10%
70% or more
42%
Q. As a percentage of total volume, what share of m-commerce payments were
approved based on RBA, which does not require step-up authentication with a second factor? (n=31 respondents from companies that implemented risk-based
authentication solutions for m-commerce payments)
©2017 Aite Group LLC.Page 20
If second factor is required, what is the preferred technology?
• Half of respondents vote for biometric verification
Biometric
verification50%
Software token/app running
on the mobile device20%
Out-of-band software app
running on the mobile device
6%
Token integrated in
mobile device…
One-time password
8%
Other
9%
Q. When the first factor for SCA isknowledge (e.g., password or PIN), what
technology will become the preferred additional authentication factor in the market? (n=66)
©2017 Aite Group LLC.Page 21
What should the SCA threshold value be?
• More than 70% of respondents believe that the threshold value for SCA set by the regulator (EUR 30) is too low. But opinions vary…
“… the threshold to apply SCA for remote card payments should
be zero. If the technology is properly implemented, and the focus is on a streamlined user experience, then
the threshold becomes mute.”
(No limit should be set). “It should be up to the industry or the
merchants and the banks themselves if they would like to set a limit or not and if so, where the limit should be
exactly..”
Zero (which means
that all payments will require SCA)
1%Higher than zero but less
than EUR 3010%
The proposed value
of EUR 30 is just right
16%
Higher than EUR
30 but maximum EUR 100
51%
Higher than EUR
1009%
No limit
6%
Don’t
know/no opinion…
Q. In your view, what should be the threshol amount to apply SCA to remote
card payments (the proposed value by the EU is EUR 30)? (n=70)
©2017 Aite Group LLC.Page 22
Increasing complexity of the payment space
• Respondents indicate that cards are still the prevalent payment method but account-based payments are widely used as well. This latter result may have to do with a survey bias to NW Europe for FIs.
• The majority of FIs and vendors are planning to develop/support new payment models e.g., PSD2 payment initiation.
81%
64%
59%
58%
55%
28%
19%
Cards (including card-on-file solutions)
Digital wallets provided by banks andcard companies
Account-based “pay by app” payments
Online e-banking tools
The “Pays” (e.g., Apple Pay, Samsung Pay, and Android Pay)
PayPal (and other third-party wallets)
Other
Q. Which of the following payment methods does your organization support or accept/develop software for m-commerce at the present time? (n=69)
77%
67%
61%
57%
57%
57%
30%
17%
New payment models (e.g., payment initiationservices as described in PSD2)
Cards (including card-on-file solutions)
Account-based “pay by app” payments (e.g.,
Venmo, MobilePay, Swish, and Pingit)
Online e-banking tools (e.g., iDeal, PayDirekt, andMyBank)
The “Pays” (e.g., Apple Pay, Samsung Pay, and
Android Pay)
Digital wallets provided by banks and cardcompanies (e.g., Visa Checkout and Masterpass)
PayPal (and other third-party wallets)
Other
Q. Which of these payment methods is your organization planning to support
for m-commerce/will your organization develop software for m-commerce merchants in the next 2 years? (n=69)
©2017 Aite Group LLC.Page 23
What will be the impact of open access to the account (as required by PSD2)?
• About half of respondents have concerns about the additional risk due to open access
“… Aggregator style companies lack incentive to secure their infrastructure because they don't currently have liability for
losses. They increase the size of the attack surface and provide a path for fraudsters to do things like test
credentials, validate presence of accounts in ways that aren't as visible to bank security tools.
“This is a data security nightmare for the bank. This is assuming the data security
standards in place today are effective tomorrow. Fast forward a little bit, one breach tied to a TPP may cause an about
face on this policy.”
Significant positive
impact18%
Moderate positive
impact18%
No impact
17%
Moderate negative
impact42%
Significant negative
impact5%
Q. What will be the impact of open access on the bank's security processes
and systems? (n=46)
©2017 Aite Group LLC.Page 24
PSPs and merchants are on a quest to balance fraud prevention and friction in the payment experience.
SCA is the foremost defensive measure that FIs and merchants can implement. SCA could have negative impact on conversion in the short term for certain merchant segments but this may be temporary as customers get used to the new procedures.
Risk-based authentication (RBA) is the most important tool available to enable a smooth payment experience while improving security at the same time.
The adoption of biometrics as an authentication mechanism will continue to grow, as the technology offers the best of two worlds: better security, and improved user convenience.
Key takeaways