While much attention in the payments industry in recent months has focused on EMVCo’s Secure Remote Commerce (SRC) specification, another e-commerce spec from the standards body could be receiving some tweaks.
These possible initiatives, which concern the EMV 3-D Secure specifications, include a way of adding users’ travel data to help authenticate them, optimizing the whitelisting of known merchants, and enabling 3DS for transactions that initiate on a voice-activated device, according to Brian Byrne, director of engagement and operations for EMVCo., which is owned jointly by American Express Co., China UnionPay, Discover Financial, Japan’s JCB card network, Mastercard Inc., and Visa Inc.
Byrne stresses that these initiatives, technically part of a 2.3 update, are tentative. “It’s early days. We’ve had a few meetings,” Byrne tells Digital Transactions News. “We don’t have anything concrete yet.”
While the SRC spec focuses on streamlining and securing online transactions, 3-D Secure is a means of establishing that online users are who they say they are. It establishes a conduit by which merchants can communicate with issuers, who then receive data that helps authenticate buyers. Issuers began supporting the latest version of the spec, EMV 3DS specification version 2.2, this year.
Now, Byrne says, EMVCo is contemplating adding travel-specific data to this information flow. This could help authenticate users whose travel plans, indicated by hotel or airline reservations they’re attempting to make, either fit or don’t fit a known pattern. “We have a draft in process” on how this could work, Byrne adds. Suppliers of such travel information include companies like Amadeus IT Group SA, a global transaction processor catering to travel agencies, he says.
Another work-in-progress is optimizing listing of merchants known to be real and trustworthy. “It’s still up to the issuing bank” whether to OK the transaction, but this would be “a way to minimize the need for a secondary authentication method,” Byrne says. The whitelist would embrace merchants “across all categories,” he adds.
Finally, Byrne says EMVCo, along with other standards bodies such as the FIDO Alliance, are contemplating “where voice is going to fit” in the authentication scheme. Users of Alexa and other voice-activated devices raise “a host of security issues,” he says, when they instruct the devices to make purchases.
The end state the standard is aiming for, Byrne says, is a means by which open payments systems can be protected from fraud. “The world is full of secure closed systems. What we want is to secure the open systems,” he says.