EMVCo Associates gathered in Phoenix earlier this year to provide technical input into EMV® Specification advancements. While a number of key initiatives were discussed at the event – including Electric Vehicle Open Payments (EVOP), Terminal and Card Testing and Biometric on Card – EMV 3-D Secure (EMV 3DS) was a standout topic, with a number of guest speakers in this session.
In this EMV Insights post, Arman Aygen, Director of Technology at EMVCo, highlights four key learnings from the EMV 3DS session.
1. Can passkeys be used as a password replacement to authorise high-value transactions?
Passkeys can be used to strengthen the security of e-commerce transactions. They are a phishing-resistant FIDO credential which act as a password replacement for fast, easy and trusted authentication. Issuers can leverage passkeys to authorise higher-risk transactions in EMV 3DS authentication flows.
Rita Mounir, Co-founder and COO at Allthenticate explored the importance of passkeys for security, and the different types of passkeys: device-bound versus synced. As their name suggests, device-bound passkeys cannot be exchanged across different devices and are designed to streamline user management. On the other hand, synced passkeys can offer convenience and flexibility across multiple devices, enabling seamless access to accounts. The session explored the benefits of each of these types of passkeys for different use cases.
2. Decoupled authentication brings value to several purchasing use cases.
James Rendell, CTO of the Broadcom Payment Security Division, provided insight on the EMV 3DS Decoupled Authentication flow, which allows cardholder authentication to occur even if the cardholder is offline.
James explained the difference between this and the normal EMV 3DS challenge flow, and the benefits of decoupled authentication for different use cases. Such examples include when a merchant requests for the issuer to verify the cardholder for Mail Order/Telephone Order (MOTO) transactions, or prior to providing a high-value refund.
Attendees also learned about other circumstances where delegated authentication may be valuable, such as to prevent social engineering or resolve device dependency issues.
3. There are plans to update the EMV 3DS user experience (UX).
In 2021, EMVCo published the EMV 3DS UI/UX (user interface/user experience) Design Guidelines to help payment stakeholders implement a consistent, familiar and efficient approach to EMV 3DS UI/UX design that instils consumer trust in the authentication process and optimises the checkout experience.
EMVCo has acknowledged the industry’s need for further enhanced UI/UX performance with respect to cardholder interactions during EMV 3DS transactions. At the meeting, it explained that a survey of EMVCo Associates was conducted in Q2 2023 to understand the real-life experience and attitudes towards EMV 3DS, in particular, how to improve the authentication success rate.
This has been followed by a third-party expert UI/UX study to explore the field issues and feature clarifications. The results will be used to update the EMV 3DS UI/UX Design Guidelines later this year.
4. EMVCo is committed to aligning with industry partners to ensure EMV 3DS meets all users’ needs.
Discussions also explored EMVCo’s work to align with key industry partners, including FIDO Alliance and W3C. Collaboration with these organisations supports the development of specifications, such as EMV 3DS, that improve security and payment experiences around the world.
EMVCo explained how issuers and merchants can use FIDO-based WebAuthn and Secure Payment Confirmation (SPC) within the EMV 3DS flow to better determine the legitimacy of a transaction to help reduce the risk of fraud. This approach can make the authentication process three times faster than a standard EMV 3DS challenge.
There was also a joint discussion with FIDO Alliance and W3C on Fime’s presentation at the Web Payment Security Interest Group (WPSIG) on Device-Bound Session Credentials, which aim to reduce account hijacking by cookie theft. The EMV 3DS Working Group is reviewing the proposal for how this could be applied.
New advancements are happening – watch this space.
The EMV 3DS Specifications continue to evolve in line with industry requirements and consumer preferences. For example, EMVCo is investigating updates to support merchants with attribute verification for certain purchases, such as those with age restrictions, and new subscriptions in compliance with various regulations.
EMVCo is also incorporating feedback from industry participants on the structure of the EMV 3DS Specifications to reduce complexity, increase flexibility and simplify the evaluation and approval process.
But it’s not just EMV 3DS – EMVCo is constantly advancing EMV Technology to support seamless and secure payments as new use cases continue to emerge. For example, EMVCo has developed the EMV Click to Pay Customer Experience (CX) Guidelines to support merchants, payment service providers, product owners, developers and CX designers, in simplifying online checkout and making it more consistent, convenient and secure for their customers.
EMVCo is also exploring how EMV payment technology could help support a secure and seamless electric vehicle (EV) charging payment experience. As part of this work, it is collaborating with industry bodies to examine opportunities for integrating EMV Specifications with existing EV charging standards and protocols to support interoperable, open payments.
Make your voice heard.
With high levels of Associate engagement and more developments to come, we encourage payment stakeholders to get involved and provide their expertise and requirements. This is essential to help us evolve the EMV Specifications in line with changing consumer payment behaviours and preferences.
by Oliver Manahan