Publication Date: March 2023
Payment authentication and verification processes are influenced, in part, by the flow of consumer preferences. As more commerce began taking place remotely via online and mobile in-app channels, fraudsters increasingly shifted their attention toward these avenues, and card-not-present (CNP) fraud became more prevalent. The escalation of CNP fraud attempts can also be attributed to increased security in the card-present space brought on by the payments industry’s migration to EMV.
Merchants, acquirers, and other payment stakeholders are working to strengthen their digital payment authentication and verification strategies in response to the increasingly sophisticated fraud landscape.
In developing this white paper, the U.S. Payments Forum aims to:
- Provide a comprehensive reference point for payments professionals to increase their understanding of available authentication/verification techniques and tools, their evolution, and standards
- Address potential challenges to the broad implementation of these enhanced authentication/verification tools and techniques
- Promote the adoption of best practices for preventing CNP and other digital payments fraud and increasing digital payment security through a layered approach to authentication/verification
The payments authentication and consumer verification techniques described in this document have been categorized into four segments for ease of access, beginning in section two of the document.
The categories are Consumer Verification, Device Authentication, Risk-Based Authentication (RBA), and Analytics and Familiarity Signals.
In total, this white paper explores 19 techniques which are briefly described below. The applicability, features, associated risks, consumer impact, implementation considerations, maturity, standards, and relevant statistics of each technique are explored in greater detail in sections two through five of the document.
2.1 Static Password – A combination of typically eight or more letters, numbers, and special characters. The static password is the most used authentication technique and the least expensive to implement, but often the easiest for fraudsters to exploit.
2.2 Knowledge-Based Authentication (KBA) – A means of authenticating end users by asking “shared secret” questions only the actual person should know. KBA questions are either static (preset at the time of account setup) or dynamic (multiple-choice questions gleaned from databases that include credit and/or demographic data).
2.3 Out-of-Band Authentication (OOB) – A method which provides real-time authentication for network-based (internet and mobile) transactions using a communication channel different from the channel used by all the other messages and data from a device to reduce fraud. Push notifications and one-time passcodes are both examples of OOB authentication.
2.4 Mobile Public Key Infrastructure (PKI) for Push-Based Authentication – A technique that uses cryptography to secure the authentication communication channels during push-based authentication. Push-based authentication validates login attempts by sending access requests via out-of-band notification to an associated mobile device. In mobile PKI systems the communication is encrypted bi-directionally (end-to-end) between the application and a secured authentication service.
2.5 Virtual Card Authentication – A method which enables consumers or small businesses to generate virtual card numbers to make online purchases in lieu of the real PAN with which it is associated. The cardholder creates a temporary or one-time-use card number, with a security code and expiration date, linked to an existing card PAN.
2.6 Consumer Device Cardholder Verification Method (CDCVM) – An authentication method by which a consumer enters a passcode, password, pattern, or a biometric such as fingerprint, iris, voice or facial recognition on their mobile device.
2.7 EMV Secure Remote Commerce (SRC) – A specification created by EMVCo for click-to-pay which, at its core, focuses on consumer authentication as distinct from cardholder authentication. With SRC-compliant checkout services, users enroll their payment information with the service through their merchant or their card issuer, which then facilitates data transmission between the merchant, issuer, and other parties in the payment process.
2.8 Biometrics – A method for digitally verifying a person’s identity through physical or behavioral means. This includes, but is not limited to, fingerprint scanning, facial recognition, iris scanning, voice recognition, or analyzing familiar keystroke patterns during the payment transaction process. Biometric capture can be either active or passive, and physical or behavioral.
2.9 FIDO (Fast Identity Online) – A series of freely available open technical standards created by the FIDO Alliance that utilize on-device public key cryptography to authenticate a user to an online service. The FIDO Alliance aims to replace traditional on-server password authentication with a possession-based public-private key pair similar to that used by EMV card chips.
2.10 W3C (World Wide Web Consortium) WebAuthn API – An API that simplifies the ability of a relying party, such as a web service, to integrate strong authentication into applications using support built into all leading browsers and platforms. Allows web services to offer their users strong authentication with a choice of authenticators such as security keys or built-in platform authenticators such as biometric readers, instead of just a username and password.
3.1 Dynamic Cryptogram – A cryptogram generated using secret keys stored in a payment device during EMV chip transactions. Information presented from debit or credit card data stored in the mobile wallet and the terminal are leveraged to create a one-time-use dynamic cryptogram which is used by the issuer to authenticate the payment device.
3.2 MNO Risk Scoring, Phone Number Validation, Device Binding and MNO Intelligence – A series of techniques linked to the mobile device that can be used for remote enrollment of payments to validate the user, and as MFA factors. These techniques capture data about/from the consumer or the consumer mobile device to validate against existing attributes stored in the mobile network operator (MNO) database.
Risk-Based Authentication (RBA)
4.1 Adaptive Authentication – A dynamic form of RBA that selects appropriate authentication factors depending on a user’s risk profile and tendencies, as well as specific transaction data (e.g., amount). It evaluates multiple parameters, which may include characteristics of the user device, browser, and other attributes; malware detection; geolocation; IP address; consumer use of the mouse and/or keyboard; or other behaviors displayed by the consumer.
4.2 EMV 3-Domain Secure (3DS) – A global risk-based secure messaging protocol that consists of three domains: merchant/acquirer domain, issuer domain, and interoperability domain. 3DS enables issuers to authenticate consumers in real-time during an online or mobile-initiated transaction to reduce fraud and cart abandonment, improve approval rates, and accelerate growth in ecommerce.
4.3 Identification and Verification (ID&V) and Provisioning – A critical part of the provisioning process which ensures that the consumer is the legitimate owner of the payment credentials before a payment token is created and provisioned to a mobile wallet. Examples of ID&V methods include an account verification message, PAN-based risk score assessment, and one-time password.
Analytics and Familiarity Signals
5.1 Predictive Analytics – A process of using analytics to make predictions based on data. This process uses data along with analysis, statistics, and machine-learning techniques to create a predictive model for forecasting future events, behaviors, or most likely outcomes (e.g., potential fraud occurrences).
5.2 Machine Learning (ML)/Artificial Intelligence (AI) for Authentication – AI combines data, algorithms, and computing power to act like a computer with human intelligence. ML is a subset of AI that can be trained through the input of data to make decisions, similar to how a human would respond, but with the ability to act on patterns too complex for humans to identify. Machine learning creates algorithms that process large datasets with many variables and helps find hidden correlations between user behavior and the likelihood of fraudulent actions, among other things.
5.3 Device Familiarity, Risk and Attack Signals – A set of attributes or events originating from a mobile device that can be used to assess the security of an authentication session. These signals can be leveraged to add contextual information for user authentication by providing additional assurance that the authenticating user is valid.
This white paper was created by the members of the U.S. Payments Forum’s Mobile and Touchless Payments Working Committee. Its purpose is to provide the industry with a coordinated, in-depth reference point to establish best practices for the implementation of mobile-initiated ecommerce/CNP fraud reduction techniques and tools. It imparts information that will empower payments stakeholders to ask informed questions of solution providers during their continuous journey toward the elimination of payments fraud. In order to mitigate risk in today’s complex cybercrime landscape, the payments industry is encouraged to consider a multi-layered approach to authentication. The techniques described in this white paper provide different options for mitigating digital/mobile CNP fraud, depending on the specific circumstances, e.g., payment method, use case, level of risk, etc.
To download the full white paper, please fill out the form below:
If you are a member, the white paper can be download on the members only page here: https://protected.uspaymentsforum.org/device-authentication-and-consumer-verification-techniques-for-mobile-in-app-and-remote-payments/
Please note: The information and materials available on this web page (“Information”) is provided solely for convenience and does not constitute legal or technical advice. All representations or warranties, express or implied, are expressly disclaimed, including without limitation, implied warranties of merchantability or fitness for a particular purpose and all warranties regarding accuracy, completeness, adequacy, results, title and non-infringement. All Information is limited to the scenarios, stakeholders and other matters specified, and should be considered in light of applicable laws, regulations, industry rules and requirements, facts, circumstances and other relevant factors. None of the Information should be interpreted or construed to require or promote the establishment of any solution, practice, configuration, rule, requirement or specification inconsistent with applicable legal requirements, any of which requirements may change over time. The U.S. Payments Forum assumes no responsibility to support, maintain or update the Information, regardless of any such change. Use of or reliance on the Information is at the user’s sole risk, and users are strongly encouraged to consult with their respective payment networks, acquirers, processors, vendors and appropriately qualified technical and legal experts prior to all implementation decisions.