webinar authentication in m-commerce: balancing risk and ... · latin america 2% asia ... for...

Webinar

Authentication in M-commerce: Balancing

Risk and Experience

Roney Castro, UL

Ron van Wezel, Aite Group

12 December | 2017

©2017 Aite Group LLC.

Agenda

• Approach and methodology

• Balancing fraud and friction: highlights from the report

• Key take-aways


Expert group on strong customer authentication in m-commerce

CO-CHAIRS: Roney Castro (UL),Jacob Øst Hansen (Nordea)Ron van Wezel (Aite Group)

MEMBERS:Arman Aygen (UL) David Benini (Aware) Jan Bosveld (Promon)Frank Bullen (Inside Secure) Julie Conroy (Aite Group) Sue Cullip (Infobip) Peter Fjelbye (NETS)Julien Gabillet (Worldline)Eduardo Galvao (SIBS)Douglas Kinloch (Inside Secure)Injam Khokar (Nordea)Thor-Ragnar Klevstuen (Sparebank 1)

Jean-Paul Koelbl (Swisscard)Elvino Krizmanic (Infobip)Francis Limousy (UL)Felipe Lopez (Tecnocom)Andreas Havsberg (NETS) Pedro Martinez (Gemalto)Neil Michie (Inside Secure)Nisha Patni (HCE Service)Chandra Patni (HCE Service)Ali Raza (UL)Ahmad Saif (Dejamobile)Marijke de Soete (Security4Biz)Coman Shanley (Bank of Ireland)

MOBEY FORUM:Maikki FriskElina MattilaShalini Sharma


Methodology

• Research executed by Aite Group in cooperation with the Mobey Forum Expert Group.

• Basis of the research was an online survey.

• The survey was sent to three target audiences: Mobey Forum contacts, Aite Group contacts, and selected merchants.

• Between June and September, we received 76 responses, which is a very good result.


May

First F2F meeting Preparation of online survey

November 7 Presentation of final report

Online survey

Expert Group calls

Second F2F meeting Presentation of interim survey results

Report writingExpert Group inputs

It took us 6 months from start to delivery

June July August September October November

May 17 start of work


Agenda

• Approach and methodology

• Balancing fraud and friction: highlights from the report

• Key take-aways


Who were the respondents?

• 80% of respondents came from FIs and tech vendors. Very low response from merchants unfortunately.

• 69% of FIs had a European focus, while 66% of tech vendor respondents indicated that they work globally. Still, the responses from both groups were very similar.

• About half of the respondents said they work in a product or marketing role.

Technology vendor42%

Bank or financial institution

38%

Payment processor9%

Merchant2%

8%

Q. How would you best describe your company's business? (N=76)

Global37%

Europe45%

North America12%

Latin America2%

Asia Pacific…

Q. What is the primary geographic market that you, yourself, cover? (N=76)

Product

management/development or marketing

53%

General

management13%

Client-faceing

12%

Technology

9%

Consulting/research

5%

Other

8%

Q. What is your role in your company? (N=76)


Market trends

Market trends Potential impact on the market

FIs and merchants need to bolster their fraud and authentication controls, or else absorb rising fraud losses.

FIs and merchants are on a quest to remove unnecessary friction from the user experience, with a priority on m-Commerce.

FIs and merchants have to manage user experience and fraud prevention for multiple payment methods

New legislation such as PSD2 will set restrictions to the authentication methods that FIs can use.

Rising CNP fraud

Focus on the user experience

Increasing complexity of the payment space

Changing regulation


CNP fraud: Rising around the globe

$2.1$2.6

$2.8$2.8 $3.2

$3.3

$4.0

$4.9

$5.5$5.9

$198 $227 $263 $304$350

$404$473

$562$664

$770

2011 2012 2013 2014 2015 2016 e2017 e2018 e2019 e2020

U.S. CNP Fraud and Digital Commerce Growth 2011 to e2020 (US$ Billions)

CNP fraud Digital commerce

Source: Aite Group, 2017

$140

$176

$260 $269

$299

$360

$537

£266

£227 £221£246

£301

£332

£398

$91

$131

$198$183

$210

$300

$363

2009 2010 2011 2012 2013 2014 2015

Changes in CNP Credit Card Fraud Losses, 2009 to 2015 (In millions of Brittish pounds, AU$, and CA$)

Canada

U.K.

Australia

Source: Financial Fraud Action UK, Australian Payments Clearing

Association, Canadian Bankers Association


Balancing fraud prevention against friction…

Critical—the combat

against such fraud relies on SCA

43%

Very important—it is required

for most applications21%

Important, but must work in

conjunction with other fraud prevention procedures

35%

Not so important—it is only

required for specific applications

1%

Q. How important is SCA to prevent fraud in m-commerce payments? (n=72)

91%

68%

67%

57%

54%

9%

30%

30%

41%

46%

Minimize the amount of frictionintroduced in the user experience

Improve security and customer trust

Comply with regulatory and/or industryrequirements

Reduce fraud exposure due to theliability shift

Reduce operational costs

Q. How important are the following criteria for merchants when they evaluate

their approach to securing payment transactions? (n=69)

Very important Somewhat important Not very important/not at all important

Almost all respondents recognize the importance of SCA, with nearly half voting for “critical” importance…

… at the same time, reducing friction in the user experience is considered very important by most


There are many techniques available for fraud detection and customer authentication


The quest: optimizing the balance between risk and friction

Seamless experience

Deviceidentity

KBA

Fingerprintbiometric

SMS OTP

Identity dataverification

Token

2-D facial recognition

3-D facial recognition

Mobileapp

push

Devicemalware

Identity documentverification

Eye vein biometric

High

Medium

Low

Behavior patterns

Behavioral biometrics

Level of security

Username password

High friction

Irisbiometric


How to best manage risk?

• Real-time transaction monitoring is indicated as the most important risk management tool for securing m-commerce payments

82%

64%

62%

55%

42%

17%

33%

38%

44%

52% 6%

Real-time transaction monitoring

Customer risk screening duringonboarding

Multifactor authentication

Securing/”hardening” the software

on the mobile device

Consumer education

Q. How important are the following risk management tools for securing m-

commerce payments? (n=66)

Very important Somewhat important Not very important/not at all important


Effectiveness of risk-based authentication (RBA)

• 31 out of 76 respondents indicate that they have implemented RBA.

• Of those, about 42% stated that RBA was sufficient to approve 70% or more of m-commerce payment without step-up required

Less than 20%

26%

20% to 49%

22%

50% to 69%

10%

70% or more

42%

Q. As a percentage of total volume, what share of m-commerce payments were

approved based on RBA, which does not require step-up authentication with a second factor? (n=31 respondents from companies that implemented risk-based

authentication solutions for m-commerce payments)


If second factor is required, what is the preferred technology?

• Half of respondents vote for biometric verification

Biometric

verification50%

Software token/app running

on the mobile device20%

Out-of-band software app

running on the mobile device

6%

Token integrated in

mobile device…

One-time password

8%

Other

9%

Q. When the first factor for SCA isknowledge (e.g., password or PIN), what

technology will become the preferred additional authentication factor in the market? (n=66)


What should the SCA threshold value be?

• More than 70% of respondents believe that the threshold value for SCA set by the regulator (EUR 30) is too low. But opinions vary…

“… the threshold to apply SCA for remote card payments should

be zero. If the technology is properly implemented, and the focus is on a streamlined user experience, then

the threshold becomes mute.”

(No limit should be set). “It should be up to the industry or the

merchants and the banks themselves if they would like to set a limit or not and if so, where the limit should be

exactly..”

Zero (which means

that all payments will require SCA)

1%Higher than zero but less

than EUR 3010%

The proposed value

of EUR 30 is just right

16%

Higher than EUR

30 but maximum EUR 100

51%

Higher than EUR

1009%

No limit

6%

Don’t

know/no opinion…

Q. In your view, what should be the threshol amount to apply SCA to remote

card payments (the proposed value by the EU is EUR 30)? (n=70)


Increasing complexity of the payment space

• Respondents indicate that cards are still the prevalent payment method but account-based payments are widely used as well. This latter result may have to do with a survey bias to NW Europe for FIs.

• The majority of FIs and vendors are planning to develop/support new payment models e.g., PSD2 payment initiation.

81%

64%

59%

58%

55%

28%

19%

Cards (including card-on-file solutions)

Digital wallets provided by banks andcard companies

Account-based “pay by app” payments

Online e-banking tools

The “Pays” (e.g., Apple Pay, Samsung Pay, and Android Pay)

PayPal (and other third-party wallets)

Other

Q. Which of the following payment methods does your organization support or accept/develop software for m-commerce at the present time? (n=69)

77%

67%

61%

57%

57%

57%

30%

17%

New payment models (e.g., payment initiationservices as described in PSD2)

Cards (including card-on-file solutions)

Account-based “pay by app” payments (e.g.,

Venmo, MobilePay, Swish, and Pingit)

Online e-banking tools (e.g., iDeal, PayDirekt, andMyBank)

The “Pays” (e.g., Apple Pay, Samsung Pay, and

Android Pay)

Digital wallets provided by banks and cardcompanies (e.g., Visa Checkout and Masterpass)

PayPal (and other third-party wallets)

Other

Q. Which of these payment methods is your organization planning to support

for m-commerce/will your organization develop software for m-commerce merchants in the next 2 years? (n=69)


What will be the impact of open access to the account (as required by PSD2)?

• About half of respondents have concerns about the additional risk due to open access

“… Aggregator style companies lack incentive to secure their infrastructure because they don't currently have liability for

losses. They increase the size of the attack surface and provide a path for fraudsters to do things like test

credentials, validate presence of accounts in ways that aren't as visible to bank security tools.

“This is a data security nightmare for the bank. This is assuming the data security

standards in place today are effective tomorrow. Fast forward a little bit, one breach tied to a TPP may cause an about

face on this policy.”

Significant positive

impact18%

Moderate positive

impact18%

No impact

17%

Moderate negative

impact42%

Significant negative

impact5%

Q. What will be the impact of open access on the bank's security processes

and systems? (n=46)


PSPs and merchants are on a quest to balance fraud prevention and friction in the payment experience.

SCA is the foremost defensive measure that FIs and merchants can implement. SCA could have negative impact on conversion in the short term for certain merchant segments but this may be temporary as customers get used to the new procedures.

Risk-based authentication (RBA) is the most important tool available to enable a smooth payment experience while improving security at the same time.

The adoption of biometrics as an authentication mechanism will continue to grow, as the technology offers the best of two worlds: better security, and improved user convenience.

Key takeaways

webinar authentication in m-commerce: balancing risk and ... · latin america 2% asia ... for...

Documents