dss - itsec conf - arcot - security for ecommerce - riga nov2011
DESCRIPTION
Presentation from "DSS" organized ITSEC conference on 24th of November, RIga, Latvia.TRANSCRIPT
3D - Secure Best Practice Guide for eCommerce
Michael Seifert – Vice President Arcot International Inc. a CA
3D - Secure – Best Practise Guide in 9 Lessons ... as you all know them already
Lesson 1: Security by zero – Opt Out
Lesson 2: Secure the issuer questions
Lesson 3: Secure the re-registration process
Lesson 4: Check the risk of each transaction
Lesson 5: No longer ‘Static Passwords‘
Lesson 6: Be open for new technologies
Lesson 7: Use 3D Secure to increase transactions and profit
Lesson 8: Do not forget Debit Cards
Lesson 9: Don‘t waste time – trust the experts
eCommerce
The formula of our future success
eCommerce – The Formula of our Success
... into a fantastic future
— eCommerce is the ‘most‘ rapidly growing market
— A market we can deliver our core competence
— A market we all want to participate from
— A market we all want to play a major role in
Forc
aste
d g
row
th w
ith
in 4
yea
rs (
20
14
)
eCommerce – The Formula of our Success
Shall we really care?
Revenue increase of 22% year over year
eCommerce – The Formula of our Success
Where will it lead us?
Let us be obvious – are we well prepared for this market?
− Although Credit Cards are an excellent eCommerce payment tool
• Extremely well known
• Excellent market penetration (nearly everybody has a credit card today)
− Did you lastly compare Credit Card transaction growth with the growth
of the PayPals of this world?
• Do we understand why payment tools like PayPal even exist?
• Did we still manage to achieve the same growth?
• Will we be stay passive until this will change?
eCommerce – The Formula of our Success
Security is the Key
Merchants and Users know about the risks of Credit Card payment!
− Credit Cards are potentially insecure – even your Credit Card data is most likely known by the attacker community!
− Without 3D-Secure the whole risk of a transaction is at the Merchant side.
− With 3D-Secure the whole risk is shared between user and Merchant due to the ’reversal of evidence‘ fact. (liability shift)
− Therefore you can find thousands of legal recommendations telling the Merchant to install and prefer other payment possibilities than the payment with Credit Cards
− And Merchants today can easily find other payment possibilities offered by PayPal and others without Credit Card interaction.
− And users hear more and more about the fact of ’reversal of evidence‘ and avoid paying with their Credit Card – and therefore look for alternative payment options.
− But is it only security that make users joining PayPal? eCommerce users living in a world of Facebook, Google+, ... are looking for additional support during their ‚daily‘ shopping tour – A support, PayPal and others are happily offering.
eCommerce – The Formula of our Success
Don‘t stay behind
— The first Issuers, Acquirer and Banks have identified that risk already.
— They identified the fact that only an increase of the security of credit
card transactions will stop this process.
— A security increase in a convenient and user friendly way.
— The technical features to achieve this are all available since many,
many years and we all know them
3D - Secure – Best Practise Guide in 9 Lessons Lesson 1
Lesson 1: Security by 0 – Opt Out
3D - Secure – Best Practise Guide in 9 Lessons Lesson 2
Lesson 2: Secure the issuer questions
3D - Secure – Best Practise Guide in 9 Lessons Lesson 2
Lesson 2: Secure the issuer questions
− Since many years Issuers not only rely on 3D Secure to protect
themselves
− RiskFort allows them to assess the risk of each single transaction
3D - Secure – Best Practise Guide in 9 Lessons Lesson 2
Lesson 2: Secure the issuer and the acquirer questions
− But we should stop transaction fraud where it happens and do not wait until we nearly
completely processed the transaction.
− We should stop fraudulant transactions already at the acquirer and therefore protect the
acquirer and the merchant.
3D - Secure – Best Practise Guide in 9 Lessons Lesson 2
Lesson 2: Secure the acquirer questions
− RiskFort for Acquirers allows a very easy and secure way to protect the Acquirer and the
Merchant.
− RiskFort for Acquirers is based on proofen technology for Issuers.
− RiskFort for Acquirers allows adding special Rules and Data for Acquirers.
RiskFort Data is classed into several groupings
User Data – Supplies information about the user and the
account.
Device Data – Supplies information about the device
used to originate the transaction.
General Transaction – Comment elements of every
transaction, such as the channel and action.
Location Data – These elements are derived from a
maintained database of IP geo‐location
Additional Data ‐ Additional parameters that pertain to
the specific transaction type or action and could be:
Transaction amount,
Transaction date / time,
Merchant name, Destination account,
Destination country, Currency, Client -
information, Merchant location,
Merchant MCC code, Billing -
address, Shipping address,
and more ...
3D - Secure – Best Practise Guide in 9 Lessons Lesson 2
— Layered security enhances fraud protection
— Detects and blocks fraud with real-time risk analysis and scoring
— Dynamically protects from risky transactions
— Works for Payments in eCommerce transactions without 3D-Secure involvement
Approve
Decline
Alert CSR Additional Q&A
2nd Channel
Risk Assessment
User ID
Device ID
Location ID
Degree of Risk (Score)
Business Rules
Risk Model, Historical Data
Additional Data (e.g. Transaction Data)
Policies
Profile/ Preferences
Analytics Case
Management
Truth Data
Lesson 2: Secure the acquirer questions
3D - Secure – Best Practise Guide in 9 Lessons Lesson 3
Lesson 3: Secure the (re)registration process
3D - Secure – Best Practise Guide in 9 Lessons Lesson 4
Lesson 4: Check the Risk of each Transaction
... and protect the Merchant
3D - Secure – Best Practise Guide in 9 Lessons Lesson 4
3D - Secure – Best Practise Guide in 9 Lessons Lesson 5
Lesson 5: No longer ‚Static Passwords‘
— ArcotOTP Dynamic Password Generator
− Mobile Device as OTP generator
— OTP can be of different types
− HOTP – seed value based
− TOTP – time based
− EMV – EMV key based
— OTP can include transaction element
Therefore it is very time critical now to convince our Credit Card users with
sophisticated but convenient strong security methods that their transactions
and their money is protected!
3D - Secure – Best Practise Guide in 9 Lessons Lesson 6
Lesson 6: Be open for new technologies
... and features
especially when they increase user convienence and security
Protecting the Digital Wallet and NFC
Payments
Dynamic Debit® Enables PIN-Based Ecommerce
Payments
Protecting and Enabling ATM Transactions
“Card-less” ATM Transactions
Secure Online Banking with One Time Password
3D - Secure – Best Practise Guide in 9 Lessons Lesson 6
Lesson 6: Be open for new technologies
... and features
especially when talking about such easy-peasy handling as shown below:
3D - Secure – Best Practise Guide in 9 Lessons Lesson 7
Lesson 7: Use 3D Secure to increase transactions and profit
Normal Merchant Pages 3-D Secure Protocol Authentication Protocol
Card Issuer
Online Merchant
Consumer completes order screen and enters card number, expiration date and CVV and submits order to merchant
Authentication Request
Authentication Response
Authentication Dialog
Consumer gets redirect screen, which can contain offers targeted to their buying patterns
Processor 3-D Secure and One-to-One Marketing
3-D Secure and One-to-One Marketing Lesson 7
3. The 3-D Secure redirect screen can also be used for marketing and cross-sell—or to enable payments with rewards points
Safe. Secure. An extra layer of protection for your card when you shop online.
Secure form
.....
Click here to use your Rewards Points to pay
for this purchase
Your Rewards Balance is
13,456 Points
CLOSE
1. Customer places order in normal manner, using card for payment, and receives “order complete” screen.
3-D Secure and One-to-One Marketing Lesson 7
The same 3-D Secure technology can be utilized to leverage information on purchases from both the and create targeted offers based on purchase patterns, even if the customer is not enrolled in a 3-D Secure program
Experience Rewards. Extra savings when you shop online.
Secure form
.....
Home Equity Lines at Preferred Customer Rates
CLICK HERE to learn how you can start saving now!
CLOSE
2. Based on purchase history and current purchase merchant type, customer receives a customized offer via an offer screen that can be accessed immediately with one click
3. Customer can choose the offer and go directly to the offer site with the discount code applied, or can decline the offer and close the offer window
3D - Secure – Best Practise Guide in 9 Lessons Lesson 8
Lesson 8: Do not forget Debit Cards
• Must be authenticated
• Mandate by 11th of April 2011
• PAN number needs to be shown on cards
3D - Secure – Best Practise Guide in 9 Lesson Lesson 9
Lesson 9:
Don‘t waste time and trust the experts to ensure
that you don‘t stay behind – but be part of the success story ...
eCommerce
Questions?
Thank You!