There has been a great desire to stay away from static solutions. The Associations already support a number of solutions, including the generation of dynamic numbers based on chips either embedded in a card (the so-called display cards), the use of point-of-sale (POS) readers, mobile payments applications and SMS of one-time codes.
The Associations have also partnered with credit card processing companies to evaluate risk-based authentication solutions that allow issuers to estimate both when they will authenticate a payment and how the authentication process occurs. This service is already provided to merchants that accept credit cards online as part of a solution for issuers.
In selecting the right platform, issuers have to look at the risk, reward and customer satisfaction to achieve a good balance. Each platform has differing costs for deploying it and the technology itself.
Following are a set of best practices concerning the authentication process itself:
- 3-D Secure pages and redirected URL must convey authenticity.
- For 3-D Secure authentication pages:
- Authentication pages should offer clear messaging concerning 3-D Secure on both ADS and enrolled customer authentication.
- Issuer contact phone number needs to be clearly visible to the customer on the authentication screen.
- Issuer's logo should be updated often.
- 3-D Secure authentication page must be 390 pixels x 400 pixels.
- For the card issuer's ACS visible security for consumers:
- ACS can have Extended Validation Certificates that require more detailed investigation of the merchants that accept credit cards online by the certificate authority before issuing it. These certificates are distinguished by a green-colored URL in the browser.
- ACS URL must be using its own domain name rather than the service provider's.
- Use risk-based platforms that compile a profile of the PC being used by many financial institutions for their existing web-based banking solutions.
- It is crucial to offer the consumer a way to retrieve a forgotten password while shopping, which happens at least 30 percent of the time. Still, an issuer needs to monitor for frequency of change etc., as this may be a sign that the account could have been compromised.
- Rather than permitting a consumer to lock his or her card account through "Incorrect password used," consider enabling them to reset the password on the customer's last attempt prior to the lockout.
No comments:
Post a Comment