With 3D Secure on its way out it’s time to reimagine the future of online card payment security. In my 3D Secure is Dead post I described some of the pitfalls of the existing system. This post outlines what the future should look like.
The next card protection service will ideally be secure, seamless and user friendly. It should minimise fraud by taking advantage of new technologies and should incorporate a risk-based authentication model, requesting greater customer verification for riskier transactions.
Transactions could be given a risk score that takes into consideration details such as:
- where is the customer? Are they at home, at work or on the other side of the world?
- what device are they on? Are they on their laptop, mobile phone or an unknown computer?
- who is the merchant? Are they generally trusted? Has this customer used the merchant before?
- how large is the transaction? Is it a trivial or larger amount?
- is this type of transaction risky? Gambling credits may be more fraud prone than linen purchases.
- is it a typical transaction? Is this kind of purchase characteristic of the customer’s usual spending habits?
Authentication Based on Risk Score
Once a risk level is calculated this could be used to determine the requisite authentication. The following examples outline some authentication scenarios, with each level requiring the authentication levels below.
|Almost risk free||Customer is on their mobile at home and buys a small item from a regular merchant||No authentication required. Customer simply enters payment details|
|Low risk||Customer is on their pc at home and buys an item from a new merchant||Customer is asked a verification question|
|Medium risk||Customer is on their laptop 30km from home and is purchasing an item from a new merchant and for a non-trivial amount||Customer is sent an SMS authorisation to enter to complete the transaction|
|High risk||Customer is on an unrecognised computer on the other side of the world, buying expensive goods from a high-risk merchant||Customer provides a fingerprint or iris scan|
The most important factor in a new system is that it be customer focused. Any authentication model should be well thought-out and easy for the customer. It should legitimately protect them. Fraud signifies that the current systems or processes have been breached and are no longer good enough – it is important that the motivation to improve these lies with the banks and merchants who have the power to do so, rather than customers who do not. The upside to making the system easy and legitimately secure is that it will promote relaxed, confident customers happy to spend their money online.