India is one of the fastest-growing digital payments markets with a 28% growth rate
Digital payments are projected to grow to $11.2 trillion globally by 2026 from the current $5.4 trillion at an average growth rate of 11 per cent. India is one of the fastest-growing digital payments markets with a 28 per cent growth rate that is projected to grow $1 trillion by 2025, contributing nearly 10 per cent of the global market share. Growth at such a rapid pace will be possible by addressing the following key expectations for customer, merchant, and payment system providers – frictionless check out, risk-based authentication, higher cart conversion rate, and lower chargebacks.
While these key business aspects are table stakes for any payment program to succeed, payment security standards are constantly advancing for the betterment of the ecosystem. For example with 3DS 2.0 protocol (updated three-domain security protocol that connects merchant, networks and Issuers domain in online payments for clearly establishing fraud liability), tokenisation (a process of substituting sensitive card information with a non sensitive equivalent for higher security and data protection as the non sensitive token is meaningless without the corresponding key or index that is used to generate it) and multifactor authentication mechanisms Frictionless checkout, risk based authentication are all possible whilst smartly balancing the liability shift maximising the cart conversion rate while unlocking new avenues and business model for payment originations.
3DS2.0 is a gamechanger (ability to carry nearly 150 data fields about various payment user and merchant attributes to aid in assessing fraud) when it comes to payment security and convenience, which is a much-needed upgrade to a two-decade-old 3DS1.0 protocol (supported nearly 15 data elements) that was defined with browser as the only channel for online shopping with very limited data set available for issuers for authentication and OTP or static pin as the only AFA (Additional Factor Authentication). This served us well so far, only to be caught wanting to support additional devices like mobile, tablets, and newer form factors with customers, merchants, and issuers expecting more flexibility with biometrics-based authentication.
3DS2.0 completely enhances the security standards while transforming the customer experience at the same time using RBA (Risk Based Authentication). In a two-factor authentication market like India where second-factor authentication is mandatory which also acts as a deterrent and major cause of dropout for online payments, has been enhanced with a more practical option for risk-based authentication wherein the issuer has the flexibility to step up or relax the second-factor authentication as per the nature of the transaction. If a customer shops at his favorite retailer using the same device from the same place using the same card, the issuer can determine the transaction to be safe and waive off the second factor authentication in favour of customer experience enabling a higher conversion rate for the merchant. Getting under the hood, 3DS2.0 makes it possible by capturing device information, location, and host of nearly 150 parameters to enable the issuer to make an informed decision augmenting existing security systems in place.
Similarly, if there is any variance in any of the shopping behaviour issuers can step up authentication injecting additional factors like OTP based on transaction risk. This significantly improves the customer confidence and merchant confidence too for a high-value purchase.
Another positive development in security trend is multi-factor authentication wherein additional mechanisms beyond OTP like biometrics will be made available for customers for higher safety avoiding the SMS-ing and vishing attacks that are very prevalent today. This is a boost in the right direction. Multi-factor authentication will allow issuers to enable authentication using the customer biometrics by using multiple options like fingerprint (Apple already uses it today for any purchase on Apple app store), face-Id, retina scan, voice biometrics either used in isolation or combination. Some of these measures are already adopted in the UK which is also a two-factor payments market governed by PSD2. These measures are needed shot in the arm for the payments industry with rising volumes by the day. Emerging interoperable standards like First Identity Online (FIDO) would also help in driving adoption for seamless biometric-based authentication.
In addition, Artificial Intelligence (AI)/ Machine Learning (ML) will continue to evolve creating domain-specific advanced models to detect and prevent fraudulent transactions. For example, models built over billions of transactions fine-tuned by region, domain by payment instrument spread across multiple parameters will help real-time fraud detection. These models are continuously updated using self-supervised learning, deep learning techniques to ensure fraud detection efficacy.
Tokenisation is another emerging payment security trend that will take the industry by storm as payment form factors are continuously changing, physical cards are merging into our phones, watch, fitness bands, rings, cars, refrigerator, or anything you could think that you would like your payments to originate from. This technology is also the bedrock for subscription billing, embedded payments unlocking a trend for recurring payment use cases. The underlying technology that makes Tokenisation so secure is that the actual card is anonymised using cryptographic standards which is irreversible. Therefore, even if the cryptographic payment token were compromised, it cannot be reversed to extract the payment credentials making it useless for unintended users. At the same time, it is very easy for the consumer to just replace or create a new payment token.
The way it enhances security is, every merchant that stores payment cards will have a different token or alias, so if a merchant directory were to be compromised, the token references are rendered useless because original card credentials cannot be reverse-engineered from the token which is cryptographically secured using the highest standards. At the same time, you can create a new token with the merchant without having to change or cancel your card credentials at all other locations. Tokenisation will also ensure lower chargebacks for merchants and issuers under higher security.
To conclude all the above security measures followed by strong security and data governance in place will ensure a safe payment ecosystem.
The author is Head Merchant Acquiring Solutions, Wibmo
DISCLAIMER: Views expressed are the author's own, and Outlook Money does not necessarily subscribe to them. Outlook Money shall not be responsible for any damage caused to any person/organisation directly or indirectly.