The future of authentication in payments

In this article, we’re unpacking three of authentication’s top trends – delegated, cryptographic, and biometric – to find out.

Link to the author's page
Checkout.com
November 13, 2023
Link to the author's page
The future of authentication in payments

To say that payment authentication evolved quickly in 2023 feels like a dramatic understatement. When it comes to authenticating payments, innovation and evolution aren’t mere buzzwords, they’re the rule – and the space continues to progress with the speed and force of a runaway freight train.

Take, as one example, 3D Secure 2.1 – a card authentication security protocol only mandated as recently as April 2019 – which will, in 2024, be phased out by the major card schemes.

two-thirdsThis makes it more important than ever not just to keep up, but to look ahead: to gaze into the crystal ball of the payment industry and forecast the future of authentication in payments.

Here at Checkout.com, we’re well placed to do just that. We are, as an example, already 3DS 2.3.1 certified. (And, moreover, were the first end-to-end payments provider to achieve this.) But more importantly, we believe that the goal of payment authentication, first and foremost, should be to do authorize payments in a way that promotes ease, convenience, and choice for the consumer – and maximizes safety, security, and compliance on the part of the merchant.

But is that the direction payment authentication is heading in? Below, we’re unpacking three of authentication’s top trends – delegated, cryptographic, and biometric – to find out.

The changing payment authentication landscape

The last few years have seen a gradual, yet inexorable, shift towards more security in the payments process.

The Payments Service Directive 2 (PSD2) tightened the strings of payment authentication: requiring all merchants – operating in and accepting payment from UK, EU- and EEA-based customers to adopt SCA (Strong Customer Authentication) protocols. As a 'regulatory factory', the EU's directives are being copied by other countries. India, Bangladesh, Singapore, Malaysia, Nigeria, and South Africa all introduced their own versions of SCA after the directive came in, and other countries will likely follow suit.

For all their importance and good intentions, however, these added security measures – which require merchants to apply two-factor authentication (2FA) to transactions –  have increased friction at the checkout; and taken their toll on the payment experience.

In turn, delegated authentication has risen to meet these challenges.

What is delegated authentication?

Delegated authentication involves allowing a third party – called an identity provider, or IdP for short – to manage the payment authentication process for you. This third party could be a digital wallet provider, an acquirer – or even you, the merchant.

By verifying the cardholder’s login credentials through linking and recognizing their identity throughout several different systems, the IdP builds on SSO (single sign-one techniques). And, in doing so, allows the cardholder to access multiple systems with a single ID.

The result? Less cart abandonment. Boosted transaction approval – and, in consequence, conversion – rates. Plus a simplified checkout experience for your customer – and for you, greater control over the transaction process, and a vastly reduced administrative workload.

That’s not even mentioning delegated authentication’s role in safeguarding your transactions: keeping you compliant with payment’s ever-evolving security requirements, and demonstrating your commitment to ensuring the integrity of cardholder data in every transaction.

The role of cryptographic authentication

Another emerging form of payment authentication that – amid the backdrop of merchants’ search for increasingly friction-free transactions – is gaining pace?

Cryptographic authentication.

Cryptography is, by its most basic dictionary definition, “the art of writing or solving codes”. Transmute the word into its verb form, however – to encrypt – and it’s much more familiar.

Encryption has a wide range of mainstream security applications, from its role in protecting the privacy of WhatsApp messages to establishing secure methods of traversing the internet (with a Virtual Private Network, a.k.a. VPN, for example). And in a payment authentication context, it’s finding an increasingly crucial subset of uses.

Essentially, cryptographic authentication (also known as key-based authentication) enables companies, governments, and financial institutions to be sure that data provided by users during the payment authentication and verification processes is accurate by using cryptography as the source of truth.

Cryptographic authentication is significant in that it can help solve some of the issues at the heart of risk-based approaches to authentication. While the machine learning algorithms that risk-based authentication relies on are extremely accurate in deducing patterns from existing data, they require the accuracy and legitimacy of that data to do their jobs.

With forms of cybercrime such as synthetic identity fraud – in which a bad actor cobbles together pieces of a legitimate identity, such as a Social Security Number, with fabricated information to make a new, ‘Frankenstein’ identity – on the rise, it’s easier for hackers to manipulate the data risk-based algorithms need to be effective.

What cryptographic authentication does, then, is make sure the data machine learning systems receive is tied to the actual customer – not a fraudster.

Cryptographic authentication requires the consumer to authenticate across several factors (including knowledge, inherence, and possession) through forcing authentication to a known cryptographic key – a phone number, for example – into the transaction flow.

For merchants, cryptographic authentication can help you see a decline in fraud and an uptick in revenue – not to mention a safer, secure, and more streamlined payment experience for your customers. And it will only become more prominent in the authentication field as payment fraudsters (and the technology they use) become savvier.

Secure payment confirmation (SPC)

While it doesn’t boast the catchiest of names, secure payment confirmation (SPC) is another method of payment authentication set to make a splash in the space.

SPC is a browser capability – currently available in Chrome and Edge on macOS, Android, and Windows – released by The World Wide Web Consortium (W3) in June 2023.

A project four years in the making, SPC incorporates cryptographic authentication and biometrics to help merchants, payment service providers, card networks, and banks meet SCA and PSD2 requirements, while minimizing consumer friction and maximizing payment security. It’s also supported by 3D Secure 2.3, the latest version.

While SPC isn’t quite ready for widespread rollout yet (it’s being implemented through pilot programs by payment service providers to help W3 refine it through feedback), the early results are good. Data from one pilot project reported that SPC authentication resulted in an 8% conversion-rate increase vis a vis one-time passcodes – and that, with SPC, the checkout process was a staggering three times as fast.

Further experimental data is expected soon, but the progress so far indicates that SPC stands to play a key role in the future of payment authentication – so watch this space.

Will biometrics be the future of payments?

Like cryptography, biometrics have found wide applications well beyond the boundaries of the payments industry.

Fingerprint, facial, and voice recognition are already being used as an alternative to passwords as a way for banks and businesses to authenticate a user’s access to their websites, apps, or secure online portals. From an operational perspective, companies harness biometric authentication to grant access to physical spaces and track employee time and attendance, while such applications have long been a feature of border control and immigration setups.

Which all begs the question: will biometrics be the future of payments?

There’s a strong case that yes, they will be. Fuelled by major players such as Apple and Google – whose respective digital wallets have long relied on facial and fingerprint technology for authenticating payments – biometrics are continuing to prove their worth.

And, from a merchant’s perspective at least, biometrics are relatively easy to implement. Providing excessive (and expensive) technology – such as the kind of facial verification systems you see in airports – isn’t required at the point of sale, there appear to be few barriers for merchants looking to implement a quicker, safer, and more convenient way to accept payment.

But how do consumers feel?

Biometric authentication in payments: the consumer perspective

One factor driving the rise of biometrics is increasing consumer awareness of the fragility of their data security in the online space. Fuelled by an alarmingly large, and consistent, number of data breaches – over 364 million people have been affected by one so far in 2023, and this is a conservative estimate – people are more knowledgeable around, and more conscious of, the information they’re giving up to private companies.

So, where do biometrics come in? And why are they gaining such traction?

Firstly, note that around half (49%) of data breaches involve the use of stolen data. By their nature, biometrics are harder to steal than physical data, such as PINs, passwords, usernames, and email addresses, and thus offer a more robust layer of customer protection. This, by and large, is a view customers appear to agree with – and Mastercard data found that two-thirds of consumers agree that biometrics are safer than PIN- or password-based authentication.

Secondly, biometrics – by enabling secure, hands-free, remote authentication and payment – are driving contactless forms of purchasing from and interacting with businesses. This is particularly vital given post-pandemic consumer payment trends away from more contact-based forms of engagement.

Thirdly, biometrics’ aforementioned wide range of applications in a non-payments related context means that consumers are increasingly likely to demand this technology for things like authenticating and verifying their payments. And there’s no doubt biometric payments, used properly, work wonders for the speed, convenience, and effectiveness of authentication from both a customer and merchant perspective. So what’s the issue?

The setbacks of biometric authentication – and its future implications

Ironically, one of biometric authentication’s key strengths – its role in safeguarding consumer data privacy – could also be one of its drawbacks.

Because, as with any emerging technology, issues of trust remain. The same Mastercard survey referenced above also found that seven in ten (71%) of consumers reserve misgivings around which parties have access to their biometric data.

Further data – this time from Ipsos – found that three-quarters (74%) of US adults were concerned about their biometric data being stored by a marketer, while only half remain convinced that facial recognition technology should be used for security purposes.

Through this lens, it’s not necessarily biometric authentication technology consumers have an issue with – it’s the general question of what’s being done with their data online. (Hardly surprising, given the extent to which private companies mine data through online searches to build up user profiles, which are then sold on to the highest bidder.)

These consumer concerns are also reflected by regulators, many of whom remain unconvinced at the current safeguards in play. And even these safeguards – in the US at least – are surprisingly thin on the ground.

At the time of writing, only Illinois, Maryland, New York, Oregon, Texas, and Washington have legislation in place to regulate the collection, storage, and disclosure of biometric data by companies. (Although Arizona, Connecticut, Hawaii, Kentucky, Maine, Massachusetts, Minnesota, Missouri, Montana, Nevada, New Jersey, Pennsylvania, and Tennessee all have proposed legislation; and reform is expected at a federal level, too.)

These proposed legislative changes should aid in boosting consumer trust around biometric payments, but it’s clear that more transparency from a company level is required: and that more pressure should be put on them to explain their policies around how biometric data is stored and used.

Should this happen, it’s likely biometric technology will continue to play not only a bold and burgeoning role in the future of payment authentication – but a starring one, too.

A delicate balance: The future of payment authentication

As the train of payment authentication technology rolls on at pace, merchants are left with a delicate balance to strike.

To provide a payment experience that’s as fast and friction-free as possible for the customer, while juggling their own ever-evolving compliance requirements.

Alongside this, merchants must also walk the tightrope not only of the increasing customer demand for emerging payment authentication technology like biometrics – fuelled, in part, by its growing ubiquity in a non-payments context – but of customers’ equally powerful, privacy-based reticence to embrace this technology.

Consumer concerns around privacy – exacerbated not by the payments industry, necessarily, but by the data-mining policies of global companies like Google, Facebook, Amazon, and Apple – are rife. As are justifiable concerns about the ability of businesses like these to keep that data safe from hacker-led breaches.

Merchants, whether they like it or not, have become embroiled in these issues. Which means it’s their – that is, your – responsibility to adopt increasingly secure methods of payment authentication to assuage those customer doubts. To stay at the forefront of authentication technology. And build trust by enabling your customers to pay in ways they’re most comfortable with – however that might look.

But to do that, you’ll need the right partner.

How Checkout.com can optimize how you authenticate payments

Want to keep your business forward-facing, and align with the future of authentication in payments? Checkout.com can help.

Powered by robust, AI-driven machine learning, our Authentication solution offers a wealth of high-powered authentication optimizations: including smart retry logic, protocol versions, and data enrichment. Hosted and non-hosted options allow you to strike that balance between compliance and customizability, while leveraging SCA exemptions to provide the most frictionless authentication process possible.

With us, you can optimize for all versions of 3D Secure (including the latest, 2.3), and quickly identify – then act upon – shifting scheme and regulator preferences. With millions of data points helping you boost acceptance rates and the ability to authenticate using your preferred credentials (be it PAN, tokens, or network tokens), you’ll have everything you need to set your payment strategy up for success. Both now, and for the future.

Want to learn more? Get in touch with Checkout.com’s team of payment authentication experts today to learn more about how our Authentication solution can benefit your business.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
November 13, 2023 22:03
November 13, 2023 22:03