Weitere ähnliche Inhalte
Ähnlich wie Strong Customer Authentication & Biometrics (20)
Mehr von FIDO Alliance (20)
Kürzlich hochgeladen (20)
Strong Customer Authentication & Biometrics
- 2. ©2019 Visa. All rights reserved. Visa public2
Today’s discussion:
1. Changing regulatory landscape
(Europe) & the impact on payments
2. Key enablers
3. 3DS 2.0
4. Visa Biometrics
5. Implementation details
- 3. ©2019 Visa. All rights reserved. Visa public3
Changing landscape
Uncharted territory
Open ecosystem
New payments requirements
Ambiguity as we implement
©2019 Visa. All rights reserved. Visa public
- 4. ©2019 Visa. All rights reserved. Visa public4
New Regulation
• Strong Customer Authentication (SCA)
Unless the payment qualifies as low risk, customers must authenticate transaction
with at least two independent factors
• Largest impact will be on remote electronic payments
SCA must be applied to all electronic payments unless out of scope or exempted.
Financial transactions can be classified in two ways:
European Payment Service Directive 2
Something you know Something you have Something you are
(PSD2 - September 2019)
Exemptions
Contactless payments at point of sale1
Unattended transport and parking terminals
Recurring transactions
Low value transactions
Secure corporate payments
Transaction risk analysis
Trusted beneficiaries
1
2
3
4
5
6
7
1 Contactless transactions are exempt from SCA unless transactions exceed the count/amount thresholds
Cardholder Initiated
Transactions (CIT)
In-scope
Merchant Initiated
Transactions (MIT)
Out of scope
Low Risk
Transaction
Value Band
PSP Fraud
Rate
<€100 13 bps/0.13%
€100-€250 6 bps/0.06%
€250-€500 1 bps/0.01%
- 5. ©2019 Visa. All rights reserved. Visa public5
3-D Secure 2.0
• Industry standard for authentication
• 2.0 has an enhanced user
experience, expanded device usage,
greater data sharing and is
regulatory smart
Visa Biometrics
• Consumer-friendly alternative to
OTP’s
• FIDO implementation provides 2-
factor authentication with support
for fingerprint, face and voice
Products & programs for SCA compliance and optimization
- 6. ©2019 Visa. All rights reserved. Visa public6
Issuer
Identifies which transactions
need additional authentication.
Cardholder
Most authentication is invisible
to the consumer.
Merchant
Benefits directly from
collaborative data exchange.
3-D Secure 2.0 —Who is involved?
Data
Expanded data contextualizes
the authentication.
- 7. ©2019 Visa. All rights reserved. Visa public7
The issuer collaborates with the
merchant to authenticate the
cardholder’s identity before
authorization occurs
3-D Secure 2.0 —How it works.
Authentication verifies the identity
of the cardholder.
Authentication with 3-D Secure 2.0
complements authorization to strengthen
issuer confidence in approving the transaction.
Authentication with 3-D Secure Authorization
- 8. ©2019 Visa. All rights reserved. Visa public8
73% of global consumers surveyed would be comfortable using biometrics to make a payment1
Research conducted by Visa from Sept-Nov 2017, among over 10,000 consumers who use at least one credit card, debit card, and/or mobile pay.
Why biometrics?
73%
Singapore
68%
Canada
70%
U.S.
83%
Brazil
75%
UAE
73%
Australia
70%
New Zealand
74%
Japan
78%
China
76%
South Africa
66%
France 65%
Ukraine
73%
S. Korea
63%
Russia
- 9. ©2019 Visa. All rights reserved. Visa public9
Visa Biometrics
Streamline SCA by enabling biometrics authentication with 3DS 2.0 & FIDO
This page is intended for illustrative purposes only. It contains depictions of a product currently in the process of deployment, and should be understood as a representation of the
potential features of the fully-deployed product. The final version of this product may not contain all of the features described in this presentation.
Place order Authenticate with Biometrics Merchant SuccessNotification opens issuer app
- 10. ©2019 Visa. All rights reserved. Visa public10
Customer
How it works
Visa Biometrics with 3DS and FIDO
3DS Program
Server
Visa Biometric FIDO
Server
ACSMerchant Server
Customer places order Request to 3DS Program Request to issuer’s ACS
Request for issuer to perform
consumer authentication
Issuer initiates authentication
request with Visa
Issuer Server
Issuer sends push notification to issuer’s mobile app for customer to authenticate
Customer selects push notification and launches mobile app, which requests authentication policy from issuer’s server Issuer requests authentication policy
Issuer sends authentication policy to issuer’s mobile app
Customer authenticates with biometrics and result is returned to issuer’s server
Issuer’s server completes
authentication with Visa
Issuer sends authentication resultACS sends response3DS Program returns resultsMerchant approves/denies transaction
- 11. ©2019 Visa. All rights reserved. Visa public11 Source: FIDO Authentication for Mobile Payments – Featuring Biometrics for 3-D Secure 2.0
Why we chose a FIDO implementation
Secure
• Asymmetric key
cryptography
• End-to-end design and
review with security
industry
Compliant
• Aligns with NIST, W3C,
and PSD2
• Authenticators have
been certified
• Out-of-band on single
device
Data & Control
• Metadata from device,
authenticator
• Flexible UX above
standard API to manage
policies
Scale
• Financial ROI of open
standard economics
• Mitigate development
risk
- 12. ©2019 Visa. All rights reserved. Visa public12
Category RTS FIDO
Program
Security measures shall be documented, tested,
evaluated and audited.
The FIDO certification program provides for an independent
assessment of the security level. The assessment is typically
performed by a FIDO accredited laboratory and evaluated by the
FIDO technical staff.
Authentication
Factors
Measures shall be adopted to mitigate the risk that
authentication factors are uncovered, used or
disclosed to unauthorized parties. Devices that read
biometric authentication shall have a very low
probability of an unauthorized user being
authenticated.
Once authentication factors are stored by the FIDO authenticator
during registration they do not leave the authenticator and
cannot be read, copied or transferred. FIDO authenticators that
capture, store, read and compare biometric data are subject to a
FIDO biometric certification that attests to the quality level of the
biometric implementation. Criteria such as FAR, FRR and PAD are
tested.
Multipurpose
Device
Security measures including data protection, secured
communication and separated environment shall be
adopted when using a multi-purpose device (i.e.
smartphone or tablet.)
FIDO authenticators are commonly implemented in multi-
purposes devices. The FIDO security standards call for firewalling
of the FIDO authenticator from other applications in the device
through a separated execution environment and protection of
this environment from intrusion or alteration. A TLS protected
channel is used for communication between the authentication
and server.
FIDO addresses many items of the European Banking Authority’s Regulatory Technical
Standards (RTS) with a few key areas detailed below
How FIDO helps with SCA compliance
- 13. ©2019 Visa. All rights reserved. Visa public13
• PSD2 will challenge the payments industry but it will also bring an opportunity for
players & solutions to excel
─ The combination of FIDO, Biometrics & 3DS 2.0 meets the demand of both regulators and consumers
• Issuers & merchants:
─ Understand what the impacts are to your business
─ Plan and prioritize implementation of 3DS 2.0, authorization message enhancements, tokenization, and
biometrics
─ Work with service providers on timing for SCA readiness and how to address exemptions
• Service providers:
─ Innovate and continue to work with industry groups (FIDO, EMVCo, etc.) to prepare the next generation
of solutions
Key Takeaways
Moving forward together