In a world-first implementation, the FIDO authentication standard for payments was recently deployed at PLUSCARD, a full-service processor for numerous card-issuing institutions throughout Germany.
The industry-leading solution, developed by authentication specialist Entersekt and digital payments provider Netcetera, enables secure, unrestricted card payments on the internet without needing a mobile device for mandatory two-factor authentication under PSD2. The solution gives customers the option to use FIDO2 security keys to authenticate themselves for payments with online merchants leveraging the latest EMV 3-D Secure protocol.
Uwe Härtel, Entersekt’s country manager for Central Europe, offers an overview of this milestone project and the benefits afforded to cardholders.
Strong Customer Authentication without a mobile device
Customer authentication (SCA) have become more complex in the EU since the introduction of PSD2. Under the regulation, processing via mobile devices can be instrumental in achieving compliance with the stricter requirements, while offering a better payment experience for consumers at the same time. However, for some customers, using a mobile device is not always an option, as was the case at PLUSCARD.
Although most of PLUSCARD’s cardholders were already using an app-based solution, it became apparent that a substantial number (PLUSCARD estimates between 10% and 12%) of cardholders were not willing to use a mobile device for authentication. These customers either had security concerns or simply did not own a smart phone.
PLUSCARD needed a solution that would enable these customers to shop online and pay with their cards without having to use an app for two-factor authentication. At the time, the envisaged solution was a hardware token that followed the global and open FIDO standard.
FIDO2 certification
Since 2019, Entersekt had been engaged in talks with long-standing partner PLUSCARD about the possible use of hardware tokens for Strong Customer Authentication (SCA). In 2020, Entersekt began developing a FIDO server, which had to be certified by the FIDO Alliance before it could be put into practice. In December 2020, that certification was obtained. As a result, the FIDO server could be integrated into the Entersekt Secure Platform (ESP), while the corresponding web software development kit (SDK) was built in parallel.
Digital payments provider Netcetera then implemented the solution at PLUSCARD, which was followed by a phase of joint and repeated testing. After all, the authentication flow had to work flawlessly on all mobile and web browsers.
On June 16, 2021, PLUSCARD went live with its new FIDO authentication solution. The FIDO Alliance later confirmed that this deployment is the world’s first FIDO implementation for payment authentication.
FIDO for passwordless Strong Customer Authentication
Today, PLUSCARD customers who have registered their credit cards for FIDO authentication can obtain either a new physical FIDO token or opt for an existing FIDO token to use on their PCs. They must register their tokens on the PLUSCARD customer portal. The token is then linked to the customer's credit card so that all future online purchases can be authenticated, very simply, using a FIDO token.
A FIDO token is a great deal more secure than SMS OTP, and is therefore a better, safer choice.
An authentication solution with great future potential
In addition to physical roaming authenticators (USB FIDO tokens), platform authenticators are set to play a greater role in the near future, too. In essence, by supporting the WebAuthn standard in co-operation with the corresponding crypto chips, a notebook or mobile phone will also become a secure FIDO (platform) authenticator in the future.
Given that PLUSCARD's solution was designed with both methods in mind, it holds a great deal of potential.
About Uwe Härtel
Uwe Härtel is a country manager at Entersekt. He has extensive experience in digital and payment security, with deep knowledge of the authentication market. Uwe is passionate about fintech and its role driving digital transformation in financial services. He believes it will bear much fruit if the sector is careful to protect its reputation for security and dependability in the process of change. Based in Munich, Uwe oversees Entersekt’s growth in central Europe. He holds an MBA degree from the University of Bayreuth.
About Entersekt
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now