Thales Blog

The Evolution Of EMV And Mobile First Security

November 16, 2015

This October saw the long-awaited EMV liability shift in the US, rendering merchants (whose terminals do not comply with the EMV standards) liable for fraudulent or counterfeit transactions when a customer presents a chip card for payment. With the doors on this global “EMV loophole” now effectively being closed, fraudsters will start to turn their attention elsewhere – card not present (CNP) transactions are likely to bear the brunt of this. Javelin estimates that CNP fraud will explode from $10 billion last year to $19 billion by 2018, when the vast majority of the US implementation will be complete.

EMV has not previously been used for online shopping, largely due to complexity of implementation from the merchant standpoint and the lack of consumers with suitable devices associated with their payment cards. But the world is changing – and EMVCo is already taking steps to make sure it can bolster and enhance the 3D Secure specification, to secure this new landscape.

3DS 2.0 is currently under development and is designed to provide an infrastructure that allows cardholders, issuers and merchants to establish a secure link to authenticate each party. However, central to the new standard, is the understanding that this security cannot afford to get in the way of a streamlined user experience across different devices and channels. As in-app payments soar, the standard will be designed with mobile in mind.

In a world of ‘click to pay’, the word ‘frictionless’ is the Holy Grail for merchants and consumers alike. Whereas previously, users were routed to the issuer’s web page to complete the 3DS authentication, the new specification will allow users to remain on the merchant’s page in the majority of cases. This will rely on modern cryptography techniques, generating a dynamic cryptogram for each transaction, which is more in line with how chip cards work in face to face transactions.

Much of the infrastructure required to underpin the new 3DS will be similar to that which has already been deployed to support the Host Card Emulation (HCE) approach in mobile payments. In the same way that HCE relies on the creation of a secure session between the issuer system and the phone during the credential loading process, the new 3DS system will see an Access Control Server act on behalf of the issuer. This will communicate with the consumer device – via an SDK – and the Merchant Server, allowing for a decision on how to authenticate the user based on encrypted device information. From a user perspective, the SDK creates a “familiar” interaction experience.

This tight integration will introduce additional complexity, with app developers writing apps for merchants required to understand and comply with the strict security requirements of the 3DS 2.0 protocol. EMVCo will continue to research and define these specifications over the course of the next six months. Our formal appointment as an EMVCo Technical Associate will see us closely involved in this process, as the industry evolves and innovates to fully optimise new technologies in line with changing consumer behaviour.