The Next Generation of E-Commerce Fraud Protection Tools
The global shift to EMV chip cards has done wonders in terms of reducing counterfeit fraud. However, this added layer of security against card-present fraud means that many fraudsters have ramped up their efforts to steal data online—in fact, over the past year alone, the average price that fraudsters can fetch for card-not-present data has doubled-which means greater incentive to hack online retailers!
Fortunately, the payments industry has been focusing its efforts on optimizing online payment security for quite awhile now, and the good news is, a few big changes are just around the corner. If you’re an e-commerce retailer, we recommend that you familiarize yourself with the following security advances:
1. Secure Remote Commerce (SRC)
EMVCo’s new framework for remote payments, slated for release later this year, is intended to do for card-not-present payments what EMV chip-cards have done for card-present payments—that is, increase interoperability of payment data and improve data security. SRC takes into account that the remote payments space is made up of a diverse array of processes and interfaces, which creates greater vulnerability. Thus, SRC lays out specifications for remote payments that will ensure data transmission is as consistent and as safe as possible.
2. 3D Secure 2.0
Like its predecessor, version 1.0, 3D Secure 2.0 secures card-not-present transactions by verifying the customer’s identity. However, the newer version utilizes even more data points to better verify transactions, and it creates much less friction since its verification process is embedded into checkout. 3D Secure 2.0 also supports fast and high-tech verification methods like biometrics.
3D Secure has been released, but adoption is still in the early stages.
3. PCI DSS Version 4.0
The PCI Security Standards Counsel is currently developing PCI DSS version 4.0 to adapt to newer security technologies and the latest security threats. PCI is considering making changes to the following areas, with the help of industry stakeholder feedback:
- Authentication, specifically consideration for the NIST MFA/password guidance
- Broader applicability for encrypting cardholder data on trusted networks
- Monitoring requirements to consider technology advancement
- Greater frequency of testing of critical controls; for example, incorporating some requirements from the Designated Entities Supplemental Validation (PCI DSS Appendix A3) into regular PCI DSS requirements.
Version 4.0 will be released sometime after late 2020.