The benefits of biometrics in Strong Customer Authentication

Biometrics have changed the face of electronic payments, becoming a crucial element in Strong Customer Authentication (SCA), the requirement of PSD2, the revised Directive on Payment Services. SCA ensures that electronic payments are transacted using multi-factor authentication, one of which is biometrics, to increase security. The ability to transfer SCA from the issuer to the merchant via 3DS 2.0 became a reality with version 2.2, ensuring that the card-issuing bank could be confident that the authentication performed by the merchant is valid.

Why is SCA, and particularly a Delegated Strong Customer Authentication (DSCA), important? First, and significantly, an SCA delegation gives merchants an advantage over the issuer banks that should not be underestimated. In most cases, they can provide the customer with a much better authentication experience.  

Merchants using biometric authentication during the payment process with Computop, for example, can transfer information that the payment was initiated with secure biometric verification to the card-issuing bank. This then waives any further authentication of the customer. The delegated authentication procedure is explicitly provided for in PSD2.

Although the user interface for SCA in 3DS 2.0 is much more harmoniously integrated into the payment process than in 3DS 1.0, a merchant's SCA embedded in the checkout reduces the risk of abandonment substantially.  

This is not least due to the fact that merchants without SCA delegation would require cardholders to authenticate themselves twice in certain cases — the first time to log into their customer account at the merchant and the second time to initiate the payment. This becomes even more cumbersome when using a mobile device.

This additional hurdle could result in consumers turning to other payment methods for credit card payments and the credit card losing popularity or, more impactfully for merchants, to customers turning to other retailers where checkout works better. Customers desire expediency and ease, particularly when using their mobile device. 

Fortunately, the major credit card schemes allow authentication to be outsourced from issuers to merchants, helping to negate the checkout hurdle. This also helps address other payment issues, as retail call centres wouldn't have to support dozens of different authentication methods. To be most successful, merchants should seek payment service providers that deliver the necessary infrastructure to set up the SCA delegation for both smartphone and browser payments.

Biometric authentication

Important for SCA, particularly via mobile devices, are biometric authentication options, for example, via fingerprint or face recognition. If the biometric recognition is carried out according to FIDO standard, complete data protection and the security of the biometric features are guaranteed. Ideally, retailers should integrate the corresponding step at which SCA delegation takes place as early as possible in the purchasing process, for example, the moment customers log into the seller's app or their online store. Once this step has been taken, the relevant information can be sent to the issuer together with the other data points relevant for 3DS 2.0 in encrypted form to prove that the merchant has already provided compliant authentication.

The FIDO standard brings together hardware and software so organisations such as Apple, Samsung, Google and Microsoft can support common biometric features. Fingerprints or face scans are only stored in a specially protected area of the device that the user utilises for recognition. The data is not stored as a reproducible file, but as a mathematical expression. When a confirmation request is sent to the device, the biometric feature is not transmitted, it is the match of a key – a hash value – that is checked. If it matches the stored value, authentication will be successful. 

Security

Two-factor authentication within SCA is based on the use of two or more elements which are categorised as ‘knowledge’, something that only the user knows such as a password; ‘possession’, something that only the user possesses such as a smartphone; and inherence, something that is a personal or physical aspect of the user, for example, a fingerprint. These must be independent from each other. 

While a password could be discovered as part of a phishing attack for example, or a device could be stolen, the biometric feature can only ever be linked to the person, which is why biometrics make a major contribution to the secure payment process. 

Convenience

There is the added benefit of convenience. Unlocking the smartphone by fingerprint or face scan is learned, it is quick and does not require the entry of numbers or letters. This reduces the probability of last-minute cancellations of purchases when the customer is confronted with impractical passwords that have to be entered on a small smartphone screen. It’s no surprise that conversion rates increase with biometrics.

Merchants should strongly consider implementing SCA. The benefits are overwhelming, and as merchants "own" SCA, customers receive a more user-friendly experience, which will help to drive conversions. 

About Ralf Gladis

About Computop