dss - itsec conf - arcot - security for ecommerce - riga nov2011

3D - Secure Best Practice Guide for eCommerce

Michael Seifert – Vice President Arcot International Inc. a CA

3D - Secure – Best Practise Guide in 9 Lessons ... as you all know them already

Lesson 1: Security by zero – Opt Out

Lesson 2: Secure the issuer questions

Lesson 3: Secure the re-registration process

Lesson 4: Check the risk of each transaction

Lesson 5: No longer ‘Static Passwords‘

Lesson 6: Be open for new technologies

Lesson 7: Use 3D Secure to increase transactions and profit

Lesson 8: Do not forget Debit Cards

Lesson 9: Don‘t waste time – trust the experts

eCommerce

The formula of our future success

eCommerce – The Formula of our Success

... into a fantastic future

— eCommerce is the ‘most‘ rapidly growing market

— A market we can deliver our core competence

— A market we all want to participate from

— A market we all want to play a major role in

Forc

aste

d g

row

th w

ith

in 4

yea

rs (

20

14

)


Shall we really care?

Revenue increase of 22% year over year


Where will it lead us?

Let us be obvious – are we well prepared for this market?

− Although Credit Cards are an excellent eCommerce payment tool

• Extremely well known

• Excellent market penetration (nearly everybody has a credit card today)

− Did you lastly compare Credit Card transaction growth with the growth

of the PayPals of this world?

• Do we understand why payment tools like PayPal even exist?

• Did we still manage to achieve the same growth?

• Will we be stay passive until this will change?


Security is the Key

Merchants and Users know about the risks of Credit Card payment!

− Credit Cards are potentially insecure – even your Credit Card data is most likely known by the attacker community!

− Without 3D-Secure the whole risk of a transaction is at the Merchant side.

− With 3D-Secure the whole risk is shared between user and Merchant due to the ’reversal of evidence‘ fact. (liability shift)

− Therefore you can find thousands of legal recommendations telling the Merchant to install and prefer other payment possibilities than the payment with Credit Cards

− And Merchants today can easily find other payment possibilities offered by PayPal and others without Credit Card interaction.

− And users hear more and more about the fact of ’reversal of evidence‘ and avoid paying with their Credit Card – and therefore look for alternative payment options.

− But is it only security that make users joining PayPal? eCommerce users living in a world of Facebook, Google+, ... are looking for additional support during their ‚daily‘ shopping tour – A support, PayPal and others are happily offering.


Don‘t stay behind

— The first Issuers, Acquirer and Banks have identified that risk already.

— They identified the fact that only an increase of the security of credit

card transactions will stop this process.

— A security increase in a convenient and user friendly way.

— The technical features to achieve this are all available since many,

many years and we all know them

3D - Secure – Best Practise Guide in 9 Lessons Lesson 1

Lesson 1: Security by 0 – Opt Out



− Since many years Issuers not only rely on 3D Secure to protect

themselves

− RiskFort allows them to assess the risk of each single transaction


Lesson 2: Secure the issuer and the acquirer questions

− But we should stop transaction fraud where it happens and do not wait until we nearly

completely processed the transaction.

− We should stop fraudulant transactions already at the acquirer and therefore protect the

acquirer and the merchant.


Lesson 2: Secure the acquirer questions

− RiskFort for Acquirers allows a very easy and secure way to protect the Acquirer and the

Merchant.

− RiskFort for Acquirers is based on proofen technology for Issuers.

− RiskFort for Acquirers allows adding special Rules and Data for Acquirers.

RiskFort Data is classed into several groupings

User Data – Supplies information about the user and the

account.

Device Data – Supplies information about the device

used to originate the transaction.

General Transaction – Comment elements of every

transaction, such as the channel and action.

Location Data – These elements are derived from a

maintained database of IP geo‐location

Additional Data ‐ Additional parameters that pertain to

the specific transaction type or action and could be:

Transaction amount,

Transaction date / time,

Merchant name, Destination account,

Destination country, Currency, Client -

information, Merchant location,

Merchant MCC code, Billing -

address, Shipping address,

and more ...


— Layered security enhances fraud protection

— Detects and blocks fraud with real-time risk analysis and scoring

— Dynamically protects from risky transactions

— Works for Payments in eCommerce transactions without 3D-Secure involvement

Approve

Decline

Alert CSR Additional Q&A

2nd Channel

Risk Assessment

User ID

Device ID

Location ID

Degree of Risk (Score)

Business Rules

Risk Model, Historical Data

Additional Data (e.g. Transaction Data)

Policies

Profile/ Preferences

Analytics Case

Management

Truth Data

Lesson 2: Secure the acquirer questions


Lesson 3: Secure the (re)registration process


Lesson 4: Check the Risk of each Transaction

... and protect the Merchant


Lesson 5: No longer ‚Static Passwords‘

— ArcotOTP Dynamic Password Generator

− Mobile Device as OTP generator

— OTP can be of different types

− HOTP – seed value based

− TOTP – time based

− EMV – EMV key based

— OTP can include transaction element

Therefore it is very time critical now to convince our Credit Card users with

sophisticated but convenient strong security methods that their transactions

and their money is protected!



... and features

especially when they increase user convienence and security

Protecting the Digital Wallet and NFC

Payments

Dynamic Debit® Enables PIN-Based Ecommerce

Payments

Protecting and Enabling ATM Transactions

“Card-less” ATM Transactions

Secure Online Banking with One Time Password



... and features

especially when talking about such easy-peasy handling as shown below:


Lesson 7: Use 3D Secure to increase transactions and profit

Normal Merchant Pages 3-D Secure Protocol Authentication Protocol

Card Issuer

Online Merchant

Consumer completes order screen and enters card number, expiration date and CVV and submits order to merchant

Authentication Request

Authentication Response

Authentication Dialog

Consumer gets redirect screen, which can contain offers targeted to their buying patterns

Processor 3-D Secure and One-to-One Marketing

3-D Secure and One-to-One Marketing Lesson 7

3. The 3-D Secure redirect screen can also be used for marketing and cross-sell—or to enable payments with rewards points

Safe. Secure. An extra layer of protection for your card when you shop online.

Secure form

.....

Click here to use your Rewards Points to pay

for this purchase

Your Rewards Balance is

13,456 Points

CLOSE

1. Customer places order in normal manner, using card for payment, and receives “order complete” screen.

3-D Secure and One-to-One Marketing Lesson 7

The same 3-D Secure technology can be utilized to leverage information on purchases from both the and create targeted offers based on purchase patterns, even if the customer is not enrolled in a 3-D Secure program

Experience Rewards. Extra savings when you shop online.

Secure form

.....

Home Equity Lines at Preferred Customer Rates

CLICK HERE to learn how you can start saving now!

CLOSE

2. Based on purchase history and current purchase merchant type, customer receives a customized offer via an offer screen that can be accessed immediately with one click

3. Customer can choose the offer and go directly to the offer site with the discount code applied, or can decline the offer and close the offer window


Lesson 8: Do not forget Debit Cards

• Must be authenticated

• Mandate by 11th of April 2011

• PAN number needs to be shown on cards

3D - Secure – Best Practise Guide in 9 Lesson Lesson 9

Lesson 9:

Don‘t waste time and trust the experts to ensure

that you don‘t stay behind – but be part of the success story ...

eCommerce

Questions?

Thank You!

dss - itsec conf - arcot - security for ecommerce - riga nov2011

Technology

d secure best practise

secure way

credit card data

credit card transaction

issuer questions lesson

riskfort data

credit cards

profit lesson