In the days before eCommerce, before data breaches grabbed everything from Social Security numbers to passwords, before fraudsters began to craft synthetic identities, strong customer authentication was rather simple. You handed your driver’s license to the cashier, who matched your signatures and looked at the picture — and made sure, in real time, that you were who you said you were.
SCA, as it’s commonly known, is no simple task now, and it’s certainly far from a concrete, standardized process for card-not-present transactions.
Although delayed, the migration will take place. And against that backdrop, in a PYMNTS interview with Karen Webster, Ekata CEO Rob Eleveld delved into the intricacies of just what it takes to have a robust verification system in place — and the challenges that lie ahead for merchants and payment services providers when SCA finally dawns.
As the world knows by now, SCA requires customers to complete the two-step verification by offering up one of the following: something they have; something they know; or something they are (via biometric identifier, for example).
The mechanics aside, said Eleveld, there is the need to bring digital and physical world attributes together to make a better authentication experience for merchants — and one that obviously gives consumers a better experience, too, which in turn boosts conversions.
“We live in a digital world,” said Eleveld. “It’s easy to lose track of the fact that what we’re really trying to do is just figure out if there’s a real physical person behind this transaction or not.”
To craft a successful authentication strategy, Eleveld said, it’s important for merchants and payment service providers to realize that identity is composed of, and reflects, several different attributes, far flung across centralized and decentralized locations.
Of Ekata, he said, “We are a part of a decentralized ecosystem that is trying to provide digital information to authenticate someone.”
In the decentralized model, he said, merchants and payment service providers use data that they piece together themselves, or perhaps they sign on with a provider to gather consumers’ data, running them through a machine-learning model that helps separate good transactions from bad.
Data itself can be centralized or decentralized, said Eleveld.
In reference to centralized conduits, some of the attributes that spring most readily to mind used to identify individuals include those gathered, stored and used by government agencies.
Eleveld said that across Europe and the United States, centralized authorities gather and disseminate personally identifiable information (PII) such as Social Security numbers and other variants of national identifiers. These data points, he said, fall under the designation of static PII.
“The problem with centralized data is that it gets compromised a lot,” he told Webster, “and because it doesn’t change (because it’s static), once it’s compromised, it doesn’t work nearly as well for authentication. The data is out there — and someone else can use it for authentication or fraud.”
Compromised data includes passwords, too, of course. Eleveld told Webster the password may represent the weakest link among SCA’s mandates, as passwords are often forgotten by consumers or are already out there for fraudsters to seize.
In the increasingly mobile, increasingly tech-driven world, he continued, “individuals are linked to different types of PII, and if we keep ourselves from using static PII, we are bound to start using what is called dynamic PII.”
This type of data, Eleveld said, consists of email addresses, IP addresses and physical addresses — many of which are fluid and may change frequently. In one example, he said, 20 percent of the U.S. population moves every year, and knowledge of new addresses can be used to stay one step ahead of fraudsters.
These puzzle pieces of data can be linked to form a composite picture of an individual. By way of example, he said that Ekata has a database, global in scope, with 5 billion attributes in it that are all linked to people.
Other providers, he said, focus on device IDs, monitoring whether an individual has used a browser to conduct a transaction or log in to their bank account in the past.
As Eleveld put it, “If I have all this information linked to me, and I am on a device that has been used before — those are things that help build a picture [for merchants] that ‘this is probably that individual.’”
Behavioral data is also useful, he said, and can embrace the most infinitesimal of details — such as the way an individual taps away at a keyboard or screen. A historical look back on transactions can discover red flags or anomalies — for example, it’s unlikely that a consumer will transact across dozens of merchants in a day or two.
With cryptographically hashed (a method in which data is converted into unique strings of text) anonymized transactions across Ekata’s own “identity network,” said Eleveld, a clear picture of consumer behavior emerges.
“We begin to see patterns between how often this phone number has been used or the shipping address, or how often an email address has been paired with this phone number or an IP address,” he said.
The Need For Machine Learning
Those patterns can be teased out only through the use of machine learning-driven models, said Eleveld.
“There are multiple pieces of this decentralized data,” he told Webster. “Most merchants and most payment service providers are getting this data from multiple sources in a decentralized way, and, in some cases, they’re getting it from their own customers.”
But as fraudsters have leveraged computing power and have grabbed data, he said, the precision required to recognize all the patterns and tie them together into actionable insight requires automation and artificial intelligence (AI).
Why It’s Not Enough
Even with all this data, static and dynamic, with machine learning, with identity engines seeking to verify legitimate consumers and transactions, Webster posed the question: Is what we have in play already good enough — do we really need the SCA requirements that the regulators are proposing?
Eleveld said the jury’s still out. The mental picture that many merchants may have held for customer authentication may be with services, such as Verified by Visa, where pop-up windows ask consumers for more details. Beyond the pop-up prompt, he said, there has not — up until now — been a lot of focus on SCA, as it had not been required by regulators till PSD2 debuted.
“Now, there are a lot of different folks, including us, who are trying to figure out how to help merchants and payment service providers and the ecosystem meet the requirements of the regulation while not inserting friction into the process,” he said. “It’s a moving target right now. No one really understands or has a good view for how this is going to play out.”
Even with the delays in place, some fundamental issues about SCA still linger, said Eleveld. He pointed to the fact that, as of yet, there is no precedence as to whether having device IDs in place might be “good enough” to meet the “what you have” requirement of the authentication laws.
In the absence of codified standards of what is “good enough,” he said Ekata has been working with corporate clients to develop and refine baseline models that work with batches of transactions, as well as look at chargebacks and false positives to see if the data being used is, in fact, “good enough” for SCA and might stand the test of regulators’ audits.
There’s at least some roadmap for regulators in place, he said, pointing to the fact that credit scoring models have been in place for decades and serve as a successful example of model governance.
But for right now, looking ahead, he said: “There is no ‘case law’ that helps codify what meets the standards. The challenge is that the regulators are going to have to get out in front and make some commitments about what they are going to decide is ‘good enough’ and what is not.”