Secure Payments Confirmation for Web Payment

W3C in Europe - February 6, 2024

By Jean-Luc Di Manno, Solution architect - digital payment & authentication at FIME, France - member of the Web Payments Working Group

See also the supporting slides

Questions & Answers

Question: among the data that Jean-Luc shared, one that I found striking was that, despite Europe having stronger security requirements, the level of fraud is now higher in Europe than in North America where these requirements don't exist - do you have an explanation?
Answer: This is partly due to different type of fraud, e.g. paying the wrong merchant. New regulation is arriving in the UK and the EU to more strongly authentify the real target of payments in the confirmation workflow. Another part is that there are a number of countries with low level of card usage, e.g. Germany.
Comment: It's important to realize how critical Europe has been in making Secure Payment Confirmation emerge, pushed by the EU regulation landscape. A great example of W3C adapting to the regulations emerging in the market.

Transcript

Thank you very much Dominique and also Ian for the invitation.

I am very honoured and glad to present the W3C Technology Penetration Europe on authentication and payment landscape.

First, let me introduce my company.

At Fime, we have three main activities.

We provide product accreditation with our laboratory covering many sectors such as payments, authentication, health, IoT, transit and biometrics.

We also provide test platform and test tools for payment and transit stakeholders and also consulting services, both business and technical, on digital identity, authentication, payment and transit.

With a worldwide presence, Fime has a global vision of the industry and able to support all stakeholders of the payment chain.

We are present on Americas, EMEA and APAC region.

Fime is also a member of industry standards, including FIDO, which is a consortium providing passwordless authentication method.

Also EMVCo, as you can see, which is a global consortium that facilitates worldwide interoperability and acceptance of secure payment transactions and of course W3C and many others.

But beyond international and domestic cards scheme and authorities, we are supporting solution providers on security and payment industry.

But let's focus on secure payment confirmation in Europe.

The percentage of the population using Internet is quite high in Europe.

Almost all people aged between 16 and 74 years old had used Internet in 2022.

Among those people, three houses out of four had purchased goods or services online.

As we can see on the chart, the percentage of e-shoppers increased from 2017 with 65% to reach 75% in 2022.

And the proportion of e-shoppers continue to grow over years, even though if the population in Europe tends to decrease.

Consumer habits are changing and we observe an important growth of the share of online payments.

New habits such as buy-online/pick-up in store", foster online payment adoption. Moreover, the browser and related web technology remain the main channel used by the shoppers. Browser on laptop, on mobile, but also progressive web app and hybrid app.

So it is true that the European regulation on strong user authentication and the payment service directive, enforced in 2018, has drastically reduced the fraud rates in Europe, reaching the lower value of 0.03% in 2021.

But consequently, the fraudsters have adapted their method, mainly reoriented on the way to deceive the user.

An increasing amount of authorized fraud" attack is raising as per latest European payment council report on fraud and threat trends. It means that fraudsters manipulate or scam the user for them to perform an actual strong customer authentication, but without knowing the real purpose of it. As you can see on the chart, the percentage of e-commerce revenue lost to payment fraud increased in Europe to be higher than North America and almost the same as APAC region. It includes rejection rate, chargebacks and fraudulent transaction as per latest cyber source report. This kind of threat is mainly exploiting the lack of awareness by banks and authentication method weakness for phishing such as OTP. And OTP still represents an important share of authentication method in 2022. For example, in France, 23% of e-shoppers was supporting OTP. SMS OTP is subject to phishing and other attacks such as SIM swapping. The telecom providers are invited to provide more support to the industry to prevent such increasing type of fraud.

But in addition to the fraud, the card abandonment is a key concern in Europe.

According to SaleCycle report, the card abandonment rate in Europe in 2022 was almost 18%.

And among abandonment reasons, the authentication step is important.

For instance, in 2021, the EMV 3DS challenge, meaning the interaction with the user by the bank, led to 20 to 30% abandonment.

More recently, Stripe related that manual shuffle between the merchant app and the authentication app led to 11% drop in conversion rate.

The standardization bodies and authorities take this concern seriously.

EMVCo introduced mechanism to the satisfaction of the specification to improve the user experience.

International card scheme are also pushing to increase frictionless authentication by banks, leveraging on more accurate data and technologies such as FIDO.

But frictionless means more data and data collection is limited by browsers and privacy protection is governed by regulation, for example, GDPR in Europe.

So the payment industry is looking for a solution able to reduce the friction and improve the conversion rate, but also answer the security and the user authentication to prevent the fraud, which is not an easy balance to find.

And then a solution able to ensure user data privacy and consent.

W3C is working on user authentication and protocol and technology synergies.

For example, the Web Payment Security Interest Group has been created with EMVCo and FIDO to ensure interoperability across protocols.

Web Payment Working Group is focusing on solution for the payment industry.

And Web Authentication Working Group is working on authentication solution and synergies with other standard such as FIDO.

SPC is discussed within all these groups.

SPC tends to provide an efficient solution for the payment industry.

Let's see why.

First, SPC is based on FIDO.

And FIDO is leveraging on cryptography and biometrics.

The solution is phishing- and scamming--proof.

As managed by the browser, the information and the data signature are performed without intermediary.

Second of all, SPC is compliant oriented with European regulation.

It offers two-factor authentication with FIDO and a cryptographic evidence of user consent and a transaction context called dynamic linking.

Finally, SPC is user friendly with a unified experience across browsers, adding a consumer trust.

Plus, there is no redirection.

The user remains on the merchant page, which reduces the friction.

According to a Stripe study, SPC is also faster, 3x faster than OTP.

So how does the industry welcome this technology?

First, it's important to notice that European online shoppers are used for entering card data.

In 2022, half of the repayment has been initiated with a card.

However, the usage of a wallet and payment service provider represents the second most important payment method, including PayPal for both card and credit transfer, Klarna for buy-no/pay-later solution, or iDeal for instant payment solution.

The third most important payment method, described on the chart as Other, is linked to loyalties, gift card, and voucher.

As the card remains the most important payment method, either manually entered or using a wallet, the card-not-present fraud attempts continues to grow.

For all these reasons, the payment industry is keen to use SPC.

For example, EMVCo introduced this technology in two of their standards, including EMV 3DS, used to perform strong customer authentication in Europe for card-based transactions.

EMV 3DS, indeed, is a protocol enabling user authentication for electronic transactions initiated by your card.

The second one is EMV SRC for secure e-mode commerce, also known as Click2Pay, providing a wallet across card networks to ease the checkout experience and offer a convenient guest checkout option.

But beyond EMVCo, international card schemes are also looking for W3C solutions, leveraging on FIDO to perform strong customer authentication or IDNV for tokenization or delegated authentication programs.

Merchants, wallet, PSPs can leverage on such technologies to ensure security and user convenience across Europe.

It could be for a non-payment use case, such as a card digitization to add a card on the wallet, for example, or, as we saw, during a payment.

But the card well industry is not the only one looking for SPC.

Open banking API providers encounter the same issue for fraud and user experience.

They reached out W3C Working Group to find out more about how to leverage on SPC technology.

The European Card Stakeholders Group, working on SEPA, so the European Zone Card Standardization, is also looking for synergies and FIDO-related authentication to include that into the ISO 20020T protocol.

SWIFT, as well, supporting SEPA credit transfer, showed interest to leverage on SPC technology.

And even more than that, many other standards are considering SPC and more generally W3C authentication protocols to improve and to ensure the user security and convenience as a future-proof solution.

For instance, at Fime, we are really interested to deep dive on DBSC or DHIPS for fraud mitigation in payment landscape.

DBSC for device-bound session credential technology.

We are thrilled to see next steps and how W3C will take a bigger place in the European payment landscape in the future.

Thank you very much.

If you have any questions, do not hesitate to reach out to me.