Integrating Strong Customer Authentication (SCA) within the popular 3-D Secure protocol for card-not-present (CNP) transactions is one of the key changes needed to be made for an open banking approach, as indicated by PSD2’s recent amendments.
This blog post aims to provide an outline of the two ways card issuers, payment services providers, and merchants can quickly deploy keystroke dynamics authentication within the 3-D Secure protocol to comply with PSD2’s requirements for SCA.
Streamline the customer authentication process with keystroke dynamics
In essence, the 3-D Secure protocol (3DS) ensures the communication of information about a customer between the merchant, the issuer bank, and the acquirer bank. But, PSD2 requires that 3-D Secure incorporates SCA. This is meant to create a security layer that protects merchants and banks alike from unauthorized CNP transactions.
Keystroke dynamics can be deployed within 3DS to streamline SCA-compliance through frictionless consumer authentication as an integral part of CNP transactions, by verifying the identity of the person behind a CNP transaction, based on the way they type.
Why is 3-D Secure 2.2.0 better than its predecessor?
Due to the negative outcomes of the initial 2.1.0 version of 3-D Secure protocol — which included transaction abandonment and customer churn as key downsides when it was released in October 2016 —, EMV has published a revised protocol version called 3-D Secure 2.2.0 (3DS2).
The updated protocol makes security more convenient for merchants and issuers, as it maximizes the benefit of PSD2’s exemptions while making the customer experience less intrusive.
The EMV 3DS2 allows passive, out-of-band authentication through API integrations that promote the implementation of SCA through a variety of factors, including more well-known methods like SMS codes, more intrusive alternatives like facial recognition, and more favorable options, such as behavioral biometrics.
Keystroke dynamics deployed in 3-D Secure pop-up
Most commonly, the revised 3-D Secure protocol is implemented by the issuer bank through an automated pop-up that requires the customer to prove their identity through at least two factors, i.e., knowledge, possession, and inherence-based authentication elements.
For example, using keystroke dynamics authentication within the 3DS2 pop-up ensures the rightful owner of the card is making a transaction by verifying the way they type a short-phrase—inherence element— alongside having them enter a predetermined passphrase —knowledge element—.
Since this version of the protocol redirects customers to a pop-up window and requires customers to complete additional actions before making a purchase, businesses that go this route endure unacceptable levels of friction which stifle sales and hurt the customer experience.
Decoupling authentication allows frictionless experiences
One of the new EMV 3DS 2.2.0 infrastructure components allows the 3DS2 server to be hosted by either payment service provider, acquirer, merchant, or a third-party server. This is the key element that permits the “expansion of existing data elements to promote communication of pre-checkout authentication events and associated data as part of the EMV 3DS transaction,” as explained in the EMVCo Updates EMV® 3-D Secure Specification.
In short, to make the most of all the opportunities 3-D Secure 2.2.0 provides, merchants can deploy the protocol within their website through a mechanism called decoupled authentication. That means users are authenticated during the checkout process without necessarily having to go through and complete another pop-up window.
Keystroke dynamics for 3D Secure strong customer authentication
Also known as typing biometrics, keystroke dynamics is a behavioral biometrics technology that can recognize people based on how they type. The technology matches users’ typing patterns with previous typing samples to verify their identities.
The European Banking Authority has approved keystroke dynamics authentication for strong customer authentication as an inherence-based authentication factor. Find out more.
By communicating the authentication result in real-time simply based on the way customers type on websites or apps, merchants can streamline customers’ purchasing experience, thereby lowering the likelihood of cart abandonment and customer churn.
In light of this, TypingDNA’s typing biometrics authentication can be deployed in two different scenarios under the current 3D Secure 2.0 protocol.
Firstly, within the authentication pop-up, deploying keystroke dynamics can be done by having the customer type a short phrase to prove their identity, as illustrated in the video below:
Secondly, during payment checkout on a merchant’s website, keystroke dynamics can look at the way users type their information in various fields such as credit card details, shipping address, or billing address. Keystroke dynamics can also be used by prompting them to type a short phrase in order to ensure they are who they claim to be.
Using keystroke dynamics for decoupled authentication helps merchants prevent fraud. But, it also shifts liability for fraud-related chargebacks on payment transactions to the customers’ card issuers while ensuring friendlier payment authentication, as shown in the video below:
All in all, deploying keystroke dynamics within the 3-D Secure protocol can be the right move for merchants, banks, and payment issuers to become PSD2-compliant in a quick, secure, and user-friendly way. As it drastically reduces the friction that the user experiences during authentication, typing biometrics ensures a more intuitive customer experience during authentication.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below: