February 26, 2015 - Original Blog by Carol Alexander, Sr. Director, Product Marketing, Authentication & Payment Security aleca01
The global regulatory focus on imposing standards for secure eCommerce payment practices brings awareness and builds consumer trust, but industry response to market dynamics and collaboration ultimately make the most significant impact.
I have been encouraged by the eMarketer reports that in 2014 B2C eCommerce sales grew to 5.9 percent of the total retail market worldwide, or $1.3 trillion, and estimates that share will increase to 8.8 percent by 2018. It means the world online economy is becoming the rule, rather than the exception. With growth like this, however, it is no wonder that cyber-criminals take the business of well-organized criminal activities very seriously and that the fraud business is going to evolve around and past any solution that seeks to disrupt it.
After all, online fraud can be instigated from anywhere in the world, it’s no longer a regional problem. The latest international bank heist is estimated to have involved 100 banks in 30 countries for $1 billion and 2014 featured some of the most astonishing data breaches that included 76 million households and 7 million small business customers of JP Morgan Chase.
With the magnitude of these numbers in mind, it’s not surprising that worldwide attempts at breaching bank data continue to become more sophisticated. All stakeholders interested instopping the losses across the payments landscape must also work to continuously evolve security technologies to help mitigate future cybercrime. We must protect each other while we are protecting ourselves.
Our success requires multi-stakeholder collaboration to maintain the momentum in staying ahead of the cybercriminal fraudsters.
Multi-stakeholder collaboration
Many participants play a role in securing the payment environment and benefit from a roadmap that defines a framework to achieve an ideal state of cyber-security and acommon cardholder authentication standard for online transactions. Critical stakeholders include governmental leadership and regulatory agencies, standards bodies, banks, service providers, and a host of hardware and software infrastructure companies. Regional differences around the world demand flexible alternatives, given unique market dynamics, and solutions that are globally interoperable and secure.
Industry leaders, such as Visa and MasterCard have been actively working to stay ahead of criminal elements in securing cardholder data and payment activity for many years with technology such as 3-D Secure, one of the earliest established Internet authentication methods. Standards organizations, such as EMVCo, ISO and the NFC Forum, FIDO, and legislative regulatory frameworks help achieve widely applied industry and international standards and typically cover three aspects:
- Operational processes: to enhance the user experience through standardized processes.
- Security requirements: to ensure the security of cardholder data and online payment services.
- Technical standards: to facilitate interoperability across different infrastructures, mobile devices, software interfaces and point of sale terminals.
Cybersecurity legislation and related eCommerce, online banking, and mobile payment issues have been receiving unprecedented attention worldwide. A few examples worth noting — but by no means all regulatory activity the past few years — are:
- The 2005 bank requirement from the Hong Kong Monetary Authority (HKMA) for implementing two factor authentication (2FA) for high-risk services with the major type of 2FA being a one-time-password (OTP) and the subsequent 2011 implementation of stringent restrictions against forwarding a OTP SMS.
- European Banking Authority (EBA) efforts around the establishment of and the ongoing evolution for internet payment security standards; implementation of multiple layers of security defense, strong authentication and implications for OTP; the European Union’s recent approval of legislation on electronic identification and trust service (eIDAS).
- The European Union is also discussing legislation around Network and Information Security (NIS), which would introduce a security breach notification system and baseline security requirements.
- European country specific implementations and restrictions vary with one example including the German Central Bank (Bundesbank) mandating that OTP via SMS can be considered to be a 2FA as long as the purchase and payment process are not done from the device that gets the SMS, thus requiring two separate devices for a cardholder to support mobile online payments.
- President Obama has escalated U.S. cybersecurity regulations starting with his 2014 Executive Order mandating multi-factor authentication intended to Improve security of online financial transactions and his advisory Executive Order urging companies to share cybersecurity-threat information with one another and the federal government.
- Saudi Arabian issuance of e-Commerce protection laws in 2007.
- The Reserve Bank of India set out bank guidelines requiring double factor authentication to secure e-transactions.
The full picture is complex requiring industry-wide partnerships as we consider making online and mobile payments convenient and secure for customers; mitigating risk for banks, merchants, and payment service providers; and working on unified solutionswith software developers, makers of hardware, chip developers,mobile network operators, personal computer and handset manufacturers that achieve the highest standards. The inclusion of all these stakeholders is critical to ensuring security while improving the cardholder’s experience and moving toward the future of an ideal digital transaction ecosystem.
This need for collaboration and focus on improvements is not new and has not changed; all of us must work harder to stay ahead of the curve. While we are glad to have government regulatory bodies look at the problems, assess impacts, and consider an approach for solutions, it’s still good to leave the security of online payments to banking-focused experts and ultimately keep in mind that as we protect ourselves we should work towards protecting every legitimate stakeholder in the payments environment.
Original Post URL: https://blogs.ca.com/2015/02/26/staying-ahead-authentication-curve/