Thales eSecurity Blog

Four emerging digital payments standards you don’t want to catch you by surprise

Ian Hermon
Ian Hermon | Product Marketing Manager More About This Author >

Digital payments growth

According to 451 Research, digital payment channels are expected to grow from $2.8 trillion in 2018 to $5.8 trillion in 2022. That’s seven times the rate of in-store growth. Within digital payments, mobile payment transactions are expected to overtake e-commerce transactions in 2019 and represent 55% of transactions by 2022. So, if there was any doubt, it’s clear that a lot of money is going to digital payments and a substantial amount of that is going to mobile.

One Year After GDPR

Fraud growth

And where the money goes, the thieves follow. In a recent 451 Research fraud study 86% of digital commerce enablers surveyed cited an increase in fraud compared to the last year. This number was 62% in 2017.

As payment methods change, so, too, do methods of defrauding. And three main industry bodies are working together to combat fraud by influencing security standards: EMVCo, PCI SSC and GlobalPlatform.

Standards to fight fraud

I’d like to discuss four specific recent standards. The first three are from EMVCo and the fourth is from PCI DSS. Secure Remote Commerce and 3-D Secure 2.X address remote payments, while EMV 2nd Generation, and Software Pin on Commercial off the Shelf [COTS] Device (SPoC) address face-to-face payments.

1. Secure Remote Commerce

Secure remote commerce aims to create a secure ecosystem for low-friction online payments that is analogous to what the EMV chip card is doing for point of sale payments. It:

  • Provides a consistent, simpler approach to digital commerce;
  • Reduces risk of PAN compromise;
  • Supports dynamic data for higher security;
  • Leverages other technologies such as 3DS and payment tokenization; and,
  • Provides consumer confidence via SRC Mark.

2. 3-D Secure 2.X

3-D Secure 2.X provides a better form of user authentication for online transactions. It:

  • Expands the scope to include app-based transactions;
  • Removes friction to reduce cart abandonment;
  • Reduces fraud through improved security;
  • Provides a flexible range of user authentication methods;
  • Increases transaction approval rates; and,
  • Creates a richer data stream for more secure authorization.

3. EMV 2nd Generation

This is under review, but the premise is to put more intelligence into the chip and less in the terminal. Work is also being done to make the transaction process easier for consumers. If enacted as we currently understand it, EMV 2nd Generation will:

  • Create a flexible modular terminal design for various transaction environments;
  • Increase security through use of stronger algorithms and secure channels;
  • Optimize transaction flows at POS to improve user experience;
  • Simplify the testing and type approval processes; and,
  • Improve information available to the issuer for better authorization decisions.

4. SPoC

This will allow merchants to use a smart phone or tablet to capture the PIN with payment hardware security modules (HSMs) working in the background to keep things secure. The goal is to expand card acceptance. Specifically, SPoC is intended to:

  • Enable secure entry of cardholder PIN on a COTS device;
  • Facilitate lower costs for merchants in accepting PIN-based transactions;
  • Ensure security of the transaction and PIN data;
  • Provide a security evaluation process for solution certification; and,
  • Offer easy integration with existing back-end authorization systems.

The end goal of all these initiatives is to facilitate global interoperability and scalability.

The HSM challenge

The initiatives above are essential to keep the evolving digital payments environment running smoothly and safe from fraud. And all of them rely on payment HSMs in the background to keep data safe. As a result, the HSMs need to support new and emerging standards, while reducing costs. In addition, it is critical that HSMs can accommodate the myriad of payment methods that consumers have at their disposal today, and are ready to take on those that will be developed in the future.

These are the challenges we address with our payShield 10K HSM.

And, if you’d like to learn more about the changing digital payments market and keeping these payments secure, watch “Skating to the puck: Preparing to secure global payment technologies,” a webinar Research Director Jordan McKee of 451 Research and I hosted in June.