Mercator is a strong proponent of biometrics and expects version 2 of 3D Secure will see improved adoption by merchants over the initial 3D Secure assuming interchange discounts are offered. It is less clear how these two technologies will co-evolve to become a payment mechanism adopted by issuers, consumers, and merchants.
The original concept for the new version of 3D Secure was that it would collect additional data from the user device and pass that in the auth message to the issuer, thus greatly reducing the need for a user challenge. If a challenge is issued, then the issuing banks authentication method is used which could be a biometric response, but this is not standardized by the EMVCo spec (but is now required by MasterCard by April 2019).
Because there is no standard for authenticating the user, the method used by banks is likely to vary in its implementation, reliability, usability, and level of accuracy. The PSD2 directive specifies SCA must be addressed in 2019, and this leaves very little time to deploy the 3D Secure V2 infrastructure and scale it to support a challenge on every transaction. It also leaves banks very little time to re-think their existing authentication methods.
The blog in Finextra sets up the problem that first version of 3D Secure had problems and then goes on to describe 3D Secure V2:
“The second version of 3D Secure looks to solve both these problems with the implementation of biometric identification (think: fingerprints, iris scanning, and facial recognition).
Most new mobile phones are already equipped with some kind of biometric identification ability so 3D Secure 2.0 can easily be integrated with these capabilities.
Biometric identification through 3D Secure 2 also takes care of several other challenges, all in one solution.
Card providers are making biometric identification mandatory
One of the biggest global card providers, Mastercard, has announced that starting in April 2019, the option of choosing biometric authorisation as a means of verifying identities during online transactions should be made available to all Mastercard users.
This is a huge step forward in the standardisation of biometric check-out technology because it means that all financial institutions offering Mastercard-branded cards must provide the option of biometric verification to their customers.
And seeing as 93% of consumers and 92% of banking professionalschoose biometrics as their validation method of choice, it is certain that the other credit card companies will soon follow Mastercard’s lead.
Payment regulations are strongly in favour of biometrics
The second Payment Services Directive in the EU has placed a big emphasis on Strong Consumer Authentication (SCA), which is specifically aimed at card -not -present online payments where it can be challenging to verify if the purchaser is in fact the authorised cardholder.
SCA-approved authentication systems will utilise three types of independent information to verify a customer’s identity:
- Verification through a piece of information that the buyer knows(e.g. password, PIN)
- Verification through something the buyer possesses (e.g. card, mobile phone, hardware token)
- Verification through something that the buyer is (e.g. fingerprints, facial recognition, iris scanning – i.e. biometrics).
At least two of the three elements must be provided in order to successfully authenticate a transaction.
Due to this new mandate, biometric identification will become a necessary part of most online purchases within the EU.
Although the PSD2 directive came into effect during January 2018, SCA will only come into full effect during 2019 as a mandatory step for online merchants to implement.”
The rest of the blog identifies additional benefits of biometrics, but doesn’t discuss the degree of difficulty associated with implementing all of this in time to meet the regulatory requirements.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the quoted story here
