The Future of Online Card Payments

Security Iris Scanner on Blue Human EyeWith 3D Secure on its way out it’s time to reimagine the future of online card payment security. In my 3D Secure is Dead post I described some of the pitfalls of the existing system. This post outlines what the future should look like.

The Future

The next card protection service will ideally be secure, seamless and user friendly. It should minimise fraud by taking advantage of new technologies and should incorporate a risk-based authentication model, requesting greater customer verification for riskier transactions.

Determining Risk

Transactions could be given a risk score that takes into consideration details such as:

  • where is the customer? Are they at home, at work or on the other side of the world?
  • what device are they on? Are they on their laptop, mobile phone or an unknown computer?
  • who is the merchant? Are they generally trusted? Has this customer used the merchant before?
  • how large is the transaction? Is it a trivial or larger amount? 
  • is this type of transaction risky? Gambling credits may be more fraud prone than linen purchases.
  • is it a typical transaction? Is this kind of purchase characteristic of the customer’s usual spending habits?

Authentication Based on Risk Score

Once a risk level is calculated this could be used to determine the requisite authentication. The following examples outline some authentication scenarios, with each level requiring the authentication levels below.

Almost risk free Customer is on their mobile at home and buys a small item from a regular merchant No authentication required. Customer simply enters payment details
Low risk Customer is on their pc at home and buys an item from a new merchant Customer is asked a verification question
Medium risk Customer is on their laptop 30km from home and is purchasing an item from a new merchant and for a non-trivial amount Customer is sent an SMS authorisation to enter to complete the transaction
High risk Customer is on an unrecognised computer on the other side of the world, buying expensive goods from a high-risk merchant Customer provides a fingerprint or iris scan

Conclusions

The most important factor in a new system is that it be customer focused. Any authentication model should be well thought-out and easy for the customer. It should legitimately protect them. Fraud signifies that the current systems or processes have been breached and are no longer good enough – it is important that the motivation to improve these lies with the banks and merchants who have the power to do so, rather than customers who do not. The upside to making the system easy and legitimately secure is that it will promote relaxed, confident customers happy to spend their money online.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s