We live in digital times. Customers are increasingly shopping online and on mobile devices. In fact, the number of Europeans regularly using a mobile device — smartphone, tablet or wearable — to make payments has tripled in the last year, according to Visa’s digital payments study. And now e-commerce authentication is getting a major makeover. We asked Caroline Birchinall, Head of Verified by Visa, Visa for more details.
What is driving the evolution of authentication?
Simply put: changing customer expectations, technology and regulation is changing commerce and driving the evolution of authentication. Consumers expect to speed through the check-out. At the same time, they are concerned about data breaches, security and the proliferation of passwords.
New technologies, such as biometrics, device ID and data and behavioural analytics, are emerging. The future of both commerce and authentication will be shaped by various technologies — alongside various devices.
Then there is regulation. The requirements for strong customer authentication under the revised payment services directive (PSD2) in Europe and the new data protection rules under the general data protection regulation (GDPR) are changing the authentication landscape.
Our goal is to put Visa and its clients in a position to be as successful in the digital world as we have been in the physical world. Payment system security and authentication are central to this.
EMVCo announced last year that it is advancing the 3D Secure specification. What exactly is happening around this, and how is Visa involved?
Visa created the 3DS messaging protocol in 1999. This was to give consumers a way to directly authenticate their card with their issuer when shopping online. The additional layer of security helps prevent unauthorised use of cards and protects e-commerce merchants from exposure to certain types of disputed transactions.
Visa had previously licensed the 3DS 1.0 protocol to other payment brands. Collectively we wanted to upgrade the specification to be more in line with online shopping trends and risk-based authentication. EMVCo published 3DS 2.0 in October last year and Visa is very supportive of the effort.
The new standard is global and supported by all brands. This enables merchants to have a single integration to accept any payment brand.
How will the new version of the specification (3DS 2.0) differ from version 1.0?
There are two main differences between version 1.0 and version 2.0. Firstly, the new specification is optimised for any type of device, as well as for in-app payment. Secondly, it will be possible for merchants to pass more information to card issuers for more intelligent risk scoring. These both go to improving the online check-out experience for consumers and merchants.
When we created the first version of 3DS, personal computers were the only channel available for consumers and merchants to trade online. Consequently, 3DS 1.0 was specifically designed for browser-based authentication. Fast-forward 15-plus years and there are around 4.8 billion unique mobile subscribers worldwide, according to 2016 figures from the GSMA. When the smartphone is the device of choice for accessing the internet — and is the only means a consumer has of getting online in some countries — this cannot but change the way consumers, businesses and governments interact and transact online.
3DS 2.0 addresses the needs for an omni-channel experience. It optimises the consumer experience on mobile, PC and even digital television. Version 2.0 will be completely agnostic as to the device, as well as enable merchants to use VbV in-app. EMVCo has released an SDK in addition to the specification. This allows merchants to embed 3DS within apps to drive the in-app payment experience.
The merchant and issuer exchanged around eight pieces of information as part of a 3DS 1.0 authentication. That is because Big Data was not really underway when the first version of the protocol was released. With version 2.0, the merchant can pass up to ten times more information to allow the issuer to better assess the risk of each transaction. For example, device type, transaction type, amount and shipping address. If the risk is low, we are promoting risk-based authentication. Naturally the protocol enables the issuer to ask for authentication in the case of higher risk transactions. This can be via SMS or online banking.
These are the major shifts: addressing the omni-channel experience, and combatting fraud with a data-driven risk-based approach.
You mentioned SMS and online banking. Can the different authentication methods include biometrics or ‘behaviometrics’ on the device?
Absolutely. The new protocol is extremely flexible and enables issuers who want to step up their authentication to use different methods. If the issuer has an SDK or mobile app, which is able to collect Apple TouchID or facial recognition, the protocol will support this. That’s the benefit of the new protocol: it enables innovation now and in the future.
What will be the impact on Visa stakeholders of 3DS 2.0 and VbV 2.0?
3DS 2.0 will create the new interfaces and messages exchanged between the parties, but Visa will still have its VbV programme and that won’t change.
VbV is the Visa brand for the 3DS specification. It’s a programme with business rules, liabilities, branding and communication, which sits on top of the technical standard.
There are a number of resources available for those looking to upgrade to 3DS 2.0 and VbV 2.0.
EMVCo has already published version 2.0 of the 3DS specification and a supporting SDK, both of which are available from the EMVCo website.
Visa will be publishing VbV 2.0 implementation materials and guidelines very soon. We are actively encouraging issuers and merchants to adopt version 2.0 from 2018. So, we are advising everyone — issuers, acquirers, merchants and vendors — to ensure that the upgrade to 2.0 is in their technology roadmap and to start their implementation planning now.
A new, improved way to pay securely online and on mobile is coming soon to a device near you.