cybercrime is here to stay

Towards Stronger Authentication

Today everything can be bought online: tickets, food, an Enzo Ferrari supercar or even a town, like Bridgeville in Northern California. However, the growth of online sales has an unwanted companion – cybercrime.

In 2013, the retail research company Martec International reported that cybercrime outpaced e-commerce in pace of growth by almost 50 percent. According to Martec’s Retail Fraud Survey, e-commerce in 2012 grew by 16 percent while cybercrime grew by 23 percent. Data from 2017 shows variations, yet it is becoming more and more apparent: e-commerce and cybercrime go hand in hand and this is unlikely to change in the long run.

The unwanted companion is virtually invisible but still costing online businesses tangible money. According to research by Symantec and BigCommerce, the average cost of data breach is $4 million and has grown 29 percent in the last four years.

Each record breach in retail costs merchants an average of $172. But an even bigger problem is that each record breach raises churn by 2.9 percent and doubles the cost of customer acquisition for merchants who have experienced cybercrime attacks. So the focus is now on consumers.

PODCAST: E-Commerce and Cybercrime

At the EFSG Meeting in Ljubljana, Mercury Processing Services International's Aljoša Lovrić Petrić, Head of innovation and prototyping department, and Ladislav Grgac, Product expert, explained the potential of new technologies with usage of right products to do online transactions faster, safe and with control in mind. Ladislav talks about it in this podcast episode.

Ladislav Grgac

Aljoša Lovrić Petrić and Ladislav Grgac


As the authentication of a customer is crucial in fraud prevention, so is implementing the right measures in the authentication process. Some big companies have beaten competition using this insight: Amazon offered one-click checkout and Uber enabled paying for taxi through a mobile app. Alas, less friction has been a good thing for customers, merchants and cybercriminals. Thus, in the EU, as of January 2018, the Strong Customer Authentication will be mandatory.        

Talking to MasterCard Slovenia's Boštjan Fabjančič, Director, and Luka Gabrovšek, Business Development Manager, we learned about the objectives of Strong Customer Authentication and what it means for the future of payments. 


What is strong customer authentication? 

By definition of PSD2, Strong Customer Authentication, or SCA for short, stands for an authentication process based on at least 2 out of 3 defined elements: Knowledge, Ownership and/or Inherence. These elements must be mutually independent of each other and the execution of SCA procedure should be designed to protect the confidentiality of the authentication data itself. 

To sum up, SCA stands for additional confirmation by the consumer to better protect themselves and data surrounding sensitive service, such as access, payment, etc., being executed. It solely derives and is based on definitions of EU PSD2 framework. 

SCA strives to eliminate the use of static passwords, replacing them with one time dynamic passwords, at the same time informing the consumer by providing a summary of the purchase, i. e. purchase amount and merchant name, via a secondary channel, so the consumer will have a good idea of what transaction is being confirmed each and every time.

How can banks and financial institutions keep security levels high without adversely impacting customer experience at the same time?

In a vast majority of product development, security is heavily linked to user experience as a trade-off. If one is positioned at higher level, the other one must be at a lower one. The cost elements need to be included into the equation as well.

Why we are looking forward to the future? When MasterCard introduced two global platforms –tokenization via MDES and MasterPass – it set the stage for future payment service development that will enable both safety and usability to be improved at the same time, providing higher security with a superior, consistent and unified user experience.

We are promoting and supporting the so-called mobile centric converged approach, which, in essence, places the consumer’s smartphone as a central digital payment device for all electronic payments, in-store via NFC and online, leveraging our MasterPass and 3DS digital platforms and biometrics solutions, all providing a bulletproof EMV level of security with simultaneously offering an excellent user experience.

What are your experiences in Slovenia and other countries regarding authentication? How are people using authentication and what type of authentication are they using? 

For years, Slovenia and the rest of Europe have been facing a decline in fraud levels on card payments, mostly because of the adoption of so called "chip & pin" technology for card present transactions, which vastly improved security of electronic payments. PIN use became a standard and, compared to card holder’s signature, brings security to the next level without jeopardizing the user experience.

The problem areas remain in remote or card not present transactions, where a cardholder cannot be easily identified. This is the reason, that today, most card fraud is done online. Fortunately, things are improving in online commerce as well. New technologies and standards, like MasterCard’s DSRP (Digital Secure Remote Payments) standard will eliminate the static data sharing and will bring "chip & pin" security into the online world.

With emerging digital wallets, plastic cards will also be replaced with the digitized ones, locked to a specific device. This is called tokenization of the cards and will enable the creation of dynamic cryptograms with each transaction, either for online or in-store use. Combined with biometrics for authentication, this will lower fraud levels.