EMVCo publishes security requirements for multi-factor authentication (MFA) payment solutions

Global technical body defines framework to assess the security of multi-factor authentication (MFA) solutions used to verify payments

EMVCo has released security requirements to support the development of multi-factor authentication (MFA) solutions capable of preventing or detecting attacks that could compromise the security of payment authentication. The ‘Multi-Factor Authentication Solutions for Payments Security Requirements’ document is publicly available from the EMVCo website.

MFA is an authentication method that requires the payee to provide two or more factors to confirm their identity. There are three types of authentication factors: ’knowledge’ (things you know), such as a PIN or password; ’possession’ (things you have), such as a smartphone; and ‘inherence’ (things you are) such as biometrics.

As the use of MFA solutions in payments increases, EMVCo has defined a set of security requirements for MFA solutions to address the security threats that could compromise the security of those solutions.

The work leverages EMVCo’s existing Security Evaluation Infrastructure, enabling solution providers to test their products and demonstrate that they meet payment industry expectations.

“As remote payments continue to gain traction, such as e-commerce transactions, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions,” explains Joy Huang – Chair of the EMVCo Executive Committee. “EMVCo recognises that MFA plays a crucial role in not only achieving this, but also giving the industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.”

EMVCo MFA Security Requirements supports:

. developers of MFA solutions for payments, to enable them to gain security evaluation certificates for their product components and solutions.

. testing laboratories, to offer a clear evaluation process.

. merchants, acquirers and payment service providers, to share valuable and practical information on security performance characteristics and the ‘suitability’ of MFA products.

Huang adds: “It is vital to recognise why this is important – the evaluation process essentially works to assist developers in preventing and protecting against attacks using their devices or infrastructure, which could adversely impact other payment participants. Optimising EMVCo’s expertise and framework is an effective way to address this issue. EMVCo MFA Security Requirements builds on an established and proven infrastructure offering vendors access to EMVCo’s laboratory network to achieve the standards needed to protect consumers and the wider payments ecosystem.”

EMVCo MFA Security Requirements covers payment authenticators used in a variety of consumer devices, including smartphones, laptops, vehicles and IoT devices. The supporting security evaluation processes tests software and hardware components involved in the collection, processing, storage, transmission, and verification of data used for authentication during payment use cases.