Authentication in M-commerce: Balancing Risk and Experience

Report by the Expert Group on Strong Customer Authentication in m-Commerce

November | 2017

Page 1 ©2017 Aite Group LLC. Agenda

• Approach and methodology • Balancing fraud and friction: highlights from the report • Key take-aways

Page 2 ©2017 Aite Group LLC. Expert group on strong customer authentication in m-commerce

CO-CHAIRS: Jean-Paul Koelbl (Swisscard) Roney Castro (UL), Elvino Krizmanic (Infobip) Jacob Øst Hansen (Nordea) Francis Limousy (UL) Ron van Wezel (Aite Group) Felipe Lopez (Tecnocom) Andreas Havsberg (NETS) MEMBERS: Pedro Martinez (Gemalto) Arman Aygen (UL) Neil Michie (Inside Secure) David Benini (Aware) Nisha Patni (HCE Service) Jan Bosveld (Promon) Chandra Patni (HCE Service) Frank Bullen (Inside Secure) Ali Raza (UL) Julie Conroy (Aite Group) Ahmad Saif (Dejamobile) Sue Cullip (Infobip) Marijke de Soete (Security4Biz) Peter Fjelbye (NETS) Coman Shanley (Bank of Ireland) Julien Gabillet (Worldline) Eduardo Galvao (SIBS) MOBEY FORUM: Douglas Kinloch (Inside Secure) Maikki Frisk Injam Khokar (Nordea) Elina Mattila Thor-Ragnar Klevstuen (Sparebank 1) Shalini Sharma

Page 3 ©2017 Aite Group LLC. Methodology

• Research executed by Aite Group in cooperation with the Mobey Forum Expert Group. • Basis of the research was an online survey. • The survey was sent to three target audiences: Mobey Forum contacts, Aite Group contacts, and selected merchants. • Between June and September, we received 76 responses, which is a very good result.

Page 4 ©2017 Aite Group LLC. It took us 6 months from start to delivery

May 17 start of work

May June July August September October November

November 7 First F2F meeting Second F2F meeting Presentation of Preparation of online Presentation of interim final report survey survey results

Online survey Report writing Expert Group calls Expert Group inputs

Page 5 ©2017 Aite Group LLC. Agenda

• Approach and methodology • Balancing fraud and friction: highlights from the report • Key take-aways

Page 6 ©2017 Aite Group LLC. Who were the respondents?

Q. How would you best describe your company's business? (N=76) • 8% 80% of respondents came from FIs and tech vendors. Very Merchant 2% low response from merchants unfortunately. Payment processor 9% • 69% of FIs had a European focus, while 66% of tech vendor Technology vendor 42% respondents indicated that they work globally. Still, the responses from both groups were very similar. • About half of the respondents said they work in a product or Bank or financial institution marketing role. 38%

Q. What is the primary geographic market that you, yourself, cover? (N=76) Q. What is your role in your company? (N=76)

Asia Other Latin America Pacific… 8% 2% Consulting/research 5% North America 12% Technology 9% Global Product 37% management/development or marketing 53% Client-faceing 12%

Europe General 45% management 13%

Page 7 ©2017 Aite Group LLC. Market trends

Market trends Potential impact on the market

FIs and merchants need to bolster their fraud Rising CNP fraud and authentication controls, or else absorb rising fraud losses. FIs and merchants are on a quest to remove Focus on the user experience unnecessary friction from the user experience, with a priority on m-Commerce.

Increasing complexity of the FIs and merchants have to manage user payment space experience and fraud prevention for multiple payment methods New legislation such as PSD2 will set Changing regulation restrictions to the authentication methods that FIs can use.

Page 8 ©2017 Aite Group LLC. CNP fraud: Rising around the globe

Changes in CNP Credit Card Fraud Losses, 2009 to 2015 (In millions of Brittish pounds, AU$, and CA$)

$537

$360 £398

£332 $363 $299 U.S. CNP Fraud and Digital Commerce Growth £301 $260 $269 2011 to e2020 (US$ Billions) £266 $300 £246 £227 £221 Canada $176 U.K. $5.9 $210 $140 $198 $5.5 $183 Australia $4.9

$131 $4.0 $91 $2.8 $3.3 $770 $2.8 $3.2 $664 $2.6 $562 $2.1 $473 2009 2010 2011 2012 2013 2014 2015 $404 $350 $263 $304 $198 $227 Source: Financial Fraud Action UK, Australian Payments Clearing Association, Canadian Bankers Association 2011 2012 2013 2014 2015 2016 e2017 e2018 e2019 e2020

CNP fraud Digital commerce Source: Aite Group, 2017

Page 9 ©2017 Aite Group LLC. Balancing fraud prevention against friction…

Q. How important are the following criteria for merchants when they evaluate Q. How important is SCA to prevent fraud in m-commerce payments? (n=72) their approach to securing payment transactions? (n=69)

Not so important—it is only required for specific Minimize the amount of friction applications 91% 9% 1% introduced in the user experience

Important, but must work in Improve security and customer trust 68% 30% conjunction with other fraud Critical—the combat prevention procedures against such fraud relies Comply with regulatory and/or industry 35% 67% 30% on SCA requirements 43% Reduce fraud exposure due to the 57% 41% liability shift

Reduce operational costs 54% 46%

Very important—it is required for most applications 21% Very important Somewhat important Not very important/not at all important Almost all respondents recognize the … at the same time, reducing friction in the importance of SCA, with nearly half voting user experience is considered very for “critical” importance… important by most

Page 10 ©2017 Aite Group LLC. There are many techniques available for fraud detection and customer authentication

Page 11 ©2017 Aite Group LLC. The quest: optimizing the balance between risk and friction

Behavioral biometrics Seamless experience Device Behavior malware patterns Fingerprint Eye vein biometric biometric 3-D facial Device 2-D facial recognition identity recognition Identity data verification Iris Username biometric password Identity document verification SMS OTP Level of security

Mobile KBA High app push Medium Token Low High friction

Page 12 ©2017 Aite Group LLC. How to best manage risk?

• Real-time transaction monitoring is indicated as the most important risk management tool for securing m-commerce payments

Q. How important are the following risk management tools for securing m- commerce payments? (n=66)

Real-time transaction monitoring 82% 17%

Customer risk screening during 64% 33% onboarding

Multifactor authentication 62% 38%

Securing/”hardening” the software 55% 44% on the mobile device

Consumer education 42% 52% 6%

Very important Somewhat important Not very important/not at all important

Page 13 ©2017 Aite Group LLC. Effectiveness of risk-based authentication (RBA)

• 31 out of 76 respondents indicate that they have implemented RBA. • Of those, about 42% stated that RBA was sufficient to approve 70% or more of m-commerce payment without step-up required

Q. As a percentage of total volume, what share of m-commerce payments were approved based on RBA, which does not require step-up authentication with a second factor? (n=31 respondents from companies that implemented risk-based authentication solutions for m-commerce payments)

Less than 20% 26%

70% or more 42%

20% to 49% 22%

50% to 69% 10% Page 14 ©2017 Aite Group LLC. If second factor is required, what is the preferred technology?

• Half of respondents vote for biometric verification

Q. When the first factor for SCA isknowledge (e.g., password or PIN), what technology will become the preferred additional authentication factor in the market? (n=66)

Other One-time password 9% 8%

Token integrated in Biometric mobile device… verification 50% Out-of-band software app running on the mobile device 6%

Software token/app running on the mobile device 20%

Page 15 ©2017 Aite Group LLC. What should the SCA threshold value be?

• More than 70% of respondents believe that the threshold value for SCA set by the regulator (EUR 30) is too low. But opinions vary…

“… the threshold to apply SCA for Q. In your view, what should be the threshol amount to apply SCA to remote card payments (the proposed value by the EU is EUR 30)? (n=70) remote card payments should

Don’t Zero (which means be zero. If the technology is properly know/no that all payments implemented, and the focus is on a opinion… will require SCA) Higher than zero but less No limit 1% than EUR 30 streamlined user experience, then 6% 10% the threshold becomes mute.” Higher than EUR 100 The proposed value 9% of EUR 30 is just right 16% (No limit should be set). “It should be up to the industry or the Higher than EUR 30 but maximum merchants and the banks themselves EUR 100 51% if they would like to set a limit or not and if so, where the limit should be exactly..”

Page 16 ©2017 Aite Group LLC. Increasing complexity of the payment space

Q. Which of the following payment methods does your organization support or Q. Which of these payment methods is your organization planning to support accept/develop software for m-commerce at the present time? (n=69) for m-commerce/will your organization develop software for m-commerce merchants in the next 2 years? (n=69)

New payment models (e.g., payment initiation 77% Cards (including card-on-file solutions) 81% services as described in PSD2)

Digital wallets provided by banks and 64% Cards (including card-on-file solutions) 67% card companies

Account-based “pay by app” payments (e.g., Account-based “pay by app” payments 59% 61% , MobilePay, , and )

Online e-banking tools (e.g., iDeal, PayDirekt, and Online e-banking tools 58% 57% MyBank)

The “Pays” (e.g., , Samsung The “Pays” (e.g., Apple Pay, , and 55% 57% Pay, and Android Pay) Android Pay)

Digital wallets provided by banks and card PayPal (and other third-party wallets) 28% 57% companies (e.g., Visa Checkout and Masterpass)

Other 19% PayPal (and other third-party wallets) 30%

Other 17%

• Respondents indicate that cards are still the prevalent payment method but account-based payments are widely used as well. This latter result may have to do with a survey bias to NW Europe for FIs. • The majority of FIs and vendors are planning to develop/support new payment models e.g., PSD2 payment initiation.

Page 17 ©2017 Aite Group LLC. What will be the impact of open access to the account (as required by PSD2)?

• About half of respondents have concerns about the additional risk due to open access “… Aggregator style companies lack incentive to secure their infrastructure because they don't currently have liability for Q. What will be the impact of open access on the bank's security processes and systems? (n=46) losses. They increase the size of the attack surface and provide a path for fraudsters to do things like test Significant negative impact Significant positive credentials, validate presence of accounts in ways that 5% impact aren't as visible to bank security tools. 18%

Moderate negative impact 42% Moderate positive “This is a data security nightmare for the impact 18% bank. This is assuming the data security standards in place today are effective

No impact tomorrow. Fast forward a little bit, one 17% breach tied to a TPP may cause an about face on this policy.”

Page 18 ©2017 Aite Group LLC. Key takeaways

 PSPs and merchants are on a quest to balance fraud prevention and friction in the payment experience.

 SCA is the foremost defensive measure that FIs and merchants can implement. SCA could have negative impact on conversion in the short term for certain merchant segments but this may be temporary as customers get used to the new procedures.

 Risk-based authentication (RBA) is the most important tool available to enable a smooth payment experience while improving security at the same time.

 The adoption of biometrics as an authentication mechanism will continue to grow, as the technology offers the best of two worlds: better security, and improved user convenience.

Page 19 ©2017 Aite Group LLC. Aite (pronounced “eye-tay”) Group is an independent research and advisory firm focused on Ron van Wezel business, technology, and regulatory issues and their impact on the financial services industry. Senior analyst

Visit us on the web and connect with us on Twitter [email protected] and LinkedIn. +31.6.3629.6515 www.aitegroup.com

Page 20 ©2017 Aite Group LLC.