Re-using Existing Global Financial Networks to authenticate Card Not Present (CNP) Payments

Transcription

1 Re-using Existing Global Financial Networks to authenticate Card Not Present (CNP) Payments isignthis Ltd every card, any IP device, anywhere EurIng John Karantzis B.E. LL.M Contact : john.karantzis@isignthis.com Australian Patents AU A4 & AU US Patent Application 13/576,477 International Patent Application No : PCT/AU2011/ International Patent Applications Pending /Granted in Europe, Africa, Asia, Oceania, North and South America

2 Overview What is Authentication Regulation (Global, SEPA : PSD+ ECB) : Authentication Possible Solutions Open Acceptance Models v Card Scheme Specific Re-using existing network to authenticate payments Other Applications Terminology : In-Band - is the sending of control information within the core message. Ie a message within a message. Out of Band (OOB) the use of an independent means to transfer control information. Eg SMS is independent to . PAN is the primary or personal account number, usually 16 digits for a credit card. 2

3 About isignthis Ltd isignthis Ltd is a Melbourne, Australia, headquartered company. We provide authentication solutions in response to ongoing market & regulatory requirements. Introduction We manage CNP/online risk by authenticating transactions. We provide EU27/SEPA ECB/PSD mandatory compliance solutions for payment service providers/acquirers/ewallets (PSP s). Patents in process/granted in Europe, Americas, Asia, Africa & Oceania. isignthis Ltd : Identity Authentication 3

4 What is Authentication? Background Authentication is a means of verifying a persons identity. Financial Authentication relies upon verified KYC credentials from trusted sources (eg Issuer). Risk Based Assessment (RBA) is NOT authentication. RBA includes AI/predictive/Rules Based/ Neural Nets/Adaptive/Fuzzy logic systems etc 4

5 Plugging the RBA Gaps via Authentication Background ~Low Risk Transactions, 85% processed & passed through In markets where authentication not mandated, use authentication for revenue assurance and minimise revenue leakage, in conjunction with RBA. Also solves the foregone revenue challenge. In the SEPA > what will PSP s risk appetite be? What % will be authenticated? 5

6 European PSP s The mandatory compliance Issue Compliance Euro Central Bank (ECB) has mandated on the 31/1/13 that strong authentication (two factor) required for all online transactions from Feb 2015, for SEPA zone. PSD Articles impose strict liability and responsibility on acquiring PSP s and ewallets for fraud, unless strong authentication is in use. Liability shift from PSP* to issuer upon use of strong authentication. PSP is most often not the issuer or acquirer for any given transaction (even if an issuer/acquirer associated with card schemes/association(s) themselves). isignthis Ltd : Identity Authentication 6

7 EU27/SEPA Payment Services Directive (PSD) & ECB 31 st Jan 2013 Regulations: The 2015 Challenge Compliance All acquiring PSP s / ewallets to authenticate transactions using the issuer s cardholder credentials. How are PSP s to do this if there is no relationship between PSP/acquirer/eWallet and the issuer? What incentive/penalty does issuer have to comply? How to use existing networks to provide the causal link without new dedicated networks and complex technical interfaces to issuer? How to reduce PSP risk whilst promoting multi card scheme acceptance? isignthis Ltd : Identity Authentication 7

8 Solution Overview Uses Issuer Cardholder KYC Credentials for Authentication (Euro Central Bank Compliant) Value Proposition High Rollout Cost / Complexity Issuer Authentication Quadrant Acquirer Authentication Quadrant On the fly Enrolment / 100% reach of cards Issuer or Continuous Notification (Black List) Quadrant Risk Based Assessment (RBA) Quadrant Low Rollout Cost / Complexity isignthis Ltd : Identity Authentication Use Data Profiling for Risk Based Assessment (Not Euro Central Bank Compliant) 8

9 Build or re-use? The Solutions to ECB Requirements Solutions Issuer s develop a networked, dedicated, independent database of cardholder KYC credentials per PAN and confirm during registration. >>>> 3D Secure. (issuing side authentication) Acquirer s/ewallets re-use existing Issuer online/phone banking and Issuer KYC credentials to register PAN/authenticate. >>>> isignthis. (acquiring side authentication) isignthis Ltd : identity Authentication 9

10 Open up Acceptance with Universal Authentication Solutions isignthis Ltd : Identity Authentication 10

11 In-Band OTP Generation (Patented) Say, agreed transaction sum : 100 > A isignthis : 1 st Split : (random) > B 2 nd Split $29.30 (balancing) > C A=B+C (always) and (B/A)% + (C/A)% = (A/A)= 100% (works for forex) B+C are processed as two normal charges via existing financial networks in real time. B and C are unique to any Trx, forming OTP s. Only cardholder can pass issuer security to retrieve Generate in Band OTP isignthis Ltd : Identity Authentication 11

12 Re-Using Existing Networks 12 isignthis Ltd : Identity Authentication 12 3/22/2013

13 >Could Classify Transactions with Risk Based Assessment >Low frequency requirement. >Initial enrolment, and validate every 6 months. OR/ >If risk profile changes OOB Retrieval of OTP isignthis Ltd : Identity Authentication 13

14 isignthis Card Enrolment/Primary Authentication/Mobile Link Infrequent. Low friction. Post sale. Enrolment of Card PAN without intrusive signup or PII being requested OOB Response isignthis Ltd : Identity Authentication 14

15 Secondary Authentication Process (post PAN enrolment + Mobile linked) Independent Secondary OOB 15

16 Feb 2015: PSD Compliance Comparison >Card scheme agnostic/independent >IP Device Agnostic (any internet device) >Single Integration for all schemes >Global Reach >No issuer involvement 16 >Card Scheme centric/dependent >Often Separate card scheme by card scheme integration. >Limited reach based on pre-enrolment >Major involvement by issuer

17 ewallet operators want the broadest sources of funding Application Authenticate incoming funds to create a trusted micropayment source promote ewallet top up, similar to real wallet use Encourages frictionless outbound micropayments larger or riskier outgoing transactions can still be authenticated case by case using OTP via SMS. 17

18 Other Applications Once strong authentication (with verified KYC) is available, there are new opportunities/possibilities for ; e-contract signing e-mandates e-conveyancing i-identity with tokenisation 18

19 Thank you Thank you Links: & ECB 31/1/13 Regulations : (Note : These are recommendations that must be implemented by EU27 as minimum requirements, The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to supporting the implementation of the recommendations in their respective jurisdictions and will strive to ensure effective and consistent implementation within the EEA. ) Financial Services Authority (UK) & the PSD : and The information in this presentation is not legal advice, and are the views of the presenter. PSP s should seek legal advice in order to determine their compliance requirements. isignthis Ltd : Identity Authentication 19

20 Appendices isignthis Ltd : identity Authentication 20

21 Inserting In-Band OTP s into Existing Networks 21

22 Compliance & InfoSec Security isignthis Ltd : Identity Authentication 22

23 isignthis Process Combining Proven Best Practice & Customer Experience with Patented Innovation Web isignthis enhances & simplifies proven customer experience interfaces by eliminating intrusive PII request and advance signup requirements. Mobile isignthis adopts streamlined practice to cell/mobile by using SMS to deliver OTP, post enrolment. We enhance security by adding PIN We mitigate high abandonment rate by an improved customer experience isignthis uses Issuer s Cardholder KYC, and Banking portal Security, and Existing Banking Portals to identify customers. Existing payment networks For PSP s isignthis vastly simplifies Integration We encompass all cards/schemes with single point integration ECB 31/1/13 Reg. compliant 23 Card Schemes / Associations isignthis use as is legacy transaction Networks We don t require a dedicated authentication network (eg 3DSecure.)

24 The Rest of the World Market Value proposition should include: For merchants; Revenue assurance maximisation Revenue leakage minimisation Eliminate false positives and false negatives from RBA systems. Provide open acceptance of many/all card types/schemes Eliminate manual reviews and checks Provide cross border authentication For PSP/Acquirer/eWallet Reduce internal fraud team & call center costs. Minimise chargebacks and administrative costs Single global solution with low rollout capital expenditure an independent all card scheme authentication system. Compliance with EU27 Euro Central Bank regulations 24

25 Comparison 3DSecure / isignthis Feature 3DSecure (3 Domains) isignthis (1 Domain) Acquirer pre-enrolment/ technical links required Issuer pre-enrolment/ technical links required Yes, complex Yes Pre Sale Keystrokes Yes, including leave merchant s website No No No Benchmarking Sales Abandonment Rate (Impact on sale) High (Pre Sale steps) Very Low (Post Sale step) HTML5/.app No, not available Yes, implemented. Card Coverage/Reach 15% Visa, 15% MCard, <1% Amex, <1%JCB, 0% Discover/Diners, 0% CB, 0%CUP or circa 6% overall Liability Shift Limited to reach/enrolled cards, then applicable law. 100% of all card associations and cards issued globally. EC/EU27 Law, Australian EFT Code of Conduct, India. Singapore, Canada? Personal Data (PII) Disclosure High, with Complex signup None Interface Separate iframe per participating bank Customers familiar, trusted online banking interface Integration V Complex: multiple parties, issuers, card associations, acquirers, service providers Risk Based Assessment Yes Yes 25 Single interface at merchant Payment Gateway/PSP for all card types.

26 Card Enrolment: Familiar Customer Experience Our card enrolment process is similar to that experienced by over 90 million PayPal customers to register accounts. Its got some key differences and advantages however. Why isignthis? isignthis is: An improved customer experience (no intrusive signup/ PII requested) Faster (isignthis charges are handled real time versus PayPal which take 3-5 days) Transaction specific, so can be primary transaction authentication. Not limited to verifying just the card per PayPal process. Cross currency capable (without needing exchange rate details) also patented and protected* isignthis Ltd : Identity Authentication 26

27 Card Enrolment Comparison isignthis is simpler, without PII disclosure isignthis Step 1 : Confirm your identity by accessing your credit card statement using phone or online banking, and locating the two charges from the participating merchant. Note : You can access your bank at any time within the next 10 days. A slight delay may be experienced, as some banks process charges overnight to online accounts. Instant access to charges s is available by phoning your bank. Step 2 : Enter the two values you located above, together with your mobile # and a 6 digit PIN. Safekey (from AMEX Help page) Step 1 : Accept the SafeKey Terms and Conditions. Step 2 : Enter your 15-digit Card number. Verified by Visa / (SecureCode) (from ANZ Help page) Step 1 :To enrol, go shopping online at a participating Verified by Visa merchant. When you are ready to buy, enter your Visa card details in the payment page. Step 2 You will automatically be prompted for Verified by Visa enrolment. Enter the following details: Name shown on your ANZ Visa card Signature panel code - the last three digits on the signature panel on the back of your card Card expiry date Your date of birth. Click the 'Enrol Now' button. Note: none of this information will be disclosed to the merchant. Step 3 : Simultaneously authenticate your order & optionally register your mobile upon accepting the isignthis terms and conditions Step 3 : Confirm your identity by entering some security information, which you have given us previously on your Card account Step 3 You will now be asked to create a personal message and Verified by Visa password. Make sure you remember your password; you will be prompted for it each time you shop online at a Verified by Visa store. Click the Submit button.. Step 4 : Create your SafeKey password and personal message Step 4 A confirmation page will be displayed. Your ANZ Visa card is now enrolled for Verified by Visa. isignthis uses issuer s security and KYC, No PII requested. 27 3DSecure involves Intrusive PII demands, contributing to abandonment