an article written by Uwe Härtel – Central Europe Country Manager at Entersekt. You can meet Uwe at Banking 4.0.
In a Europe-first implementation in partnership with Netcetera, the FIDO authentication standard for payments was recently instituted at PLUSCARD, a full-service processor for numerous card-issuing institutions throughout Germany.
The solution, developed over several months, enabled secure, unrestricted card payments on the internet without needing a mobile device for mandatory two-factor authentication.
Since 2019, Entersekt had been engaged in talks with long-standing partner PLUSCARD about the possible use of hardware tokens for strong customer authentication (SCA).
Although most cardholders were already using an app-based solution, it became apparent that a substantial number (PLUSCARD estimates between 10% and 12%) of cardholders were not willing to use a mobile device for authentication. This was due to either security concerns or simply not owning a smart phone.
“Between 10% and 12% of cardholders were not willing to use a mobile device for authentication.”
These customers needed a solution that enabled them to shop online and pay with their cards without having to use an app for two-factor authentication. At the time, the envisaged solution was a hardware token that followed the global and open FIDO standard.
So, in 2020, Entersekt began developing a FIDO server, which had to be certified by the FIDO Alliance before it could be put into practice. In December 2020, that certification was obtained. As a result, the FIDO server could be integrated into the Entersekt Secure Platform (ESP), while the corresponding web software development kit (SDK) was built in parallel.
It was then over to Netcetera to implement the solution at PLUSCARD, which was followed by a longer phase of joint and repeated testing. After all, the authentication flow had to work flawlessly on all mobile and web browsers.
“The authentication flow had to work flawlessly on all mobile and web browsers.”
On June 16, 2021, PLUSCARD went live with its new FIDO authentication solution, the first German FIDO implementation for payments.
Today, PLUSCARD customers who have registered their credit cards for FIDO authentication can obtain either a physical FIDO token or opt for an existing FIDO token to use on their PCs. They must register their tokens on the PLUSCARD customer portal. The token is then linked to the customer’s card so that all future online purchases can be authenticated, very simply, using a FIDO token.
“All future online purchases can be authenticated, very simply, using a FIDO token.”
A FIDO token is a great deal more secure than SMS OTP, and is therefore a better, safer choice.
In addition to physical roaming authenticators (USB FIDO tokens), platform authenticators are set to play a greater role in the medium term, too. In essence, by supporting the WebAuthn standard in co-operation with the corresponding crypto chips, a notebook or mobile phone will also become a secure FIDO (platform) authenticator in the future.
Given that PLUSCARD’s solution was designed with both methods in mind, it holds a great deal of potential. We’re excited to be on board!
About the author
Uwe is passionate about fintech and its role driving digital transformation in financial services. He believes it will bear much fruit if the sector is careful to protect its reputation for security and dependability in the process of change. Based in Munich, he oversees Entersekt’s growth in the DACH region and beyond.
Banking 4.0 – „how was the experience for you”
„So many people are coming here to Bucharest, people that I see and interact on linkedin and now I get the change to meet them in person. It was like being to the Football World Cup but this was the World Cup on linkedin in payments and open banking.”
Many more interesting quotes in the video below:
