October 13, 2016
Rule/Behavior Based Payment Authentication
October 13, 2016
The world is rapidly evolving with technology inventions. Many of such advancements are happening in the payment industry. In the 90s, no one would have believed using mobile phones to make payments for day to day shopping, but the fact is, it is happening now. The time is very near when no one will carry cash, making paper-based money obsolete. Even countries in Africa are now using mobile wallets for daily transactions (ref).
Unfortunately, technological advancements are accompanied by new challenges and risks. Money has always been the first motivation for hackers. Now, when people making payments online using credit cards, mobile wallets or other electronic means of payment like Android Pay, Apple Pay etc., it has become more fascinating and luring for hackers to attack. Once information is stolen like credit card details, hackers can use it to make fraudulent payments.
Banks and credit card issuers are introducing more and more stringent security checks for tracking and blocking unusual payment activities. This is called risk-based authentication. Risk-based authentication simply means the greater the risk is, the more authentication is required. An example of this is using a credit card abroad. It needs to be cleared with the bank first. Even at times, you have to specify which country you are visiting. Other examples, includes unusual google account signing in from a different country, where you might be asked for security questions before gaining access. Also, banks and card companies are tracking each and every transaction, looking for anomalies and once they find a red flag, they will give you a confirmation call.
With all this happening around payment security, aiming to reduce likelihood or risk of fraud payments, companies should keep customers’ experience in mind. Too much authentication and checks can ruin customers’ experience. My idea is for payment institutions to provide a feature for customers, providing them the option to specify their own set of rules based on common payment behavior. Either the rules are manually input or generated automatically using past history. The idea is to trace and request strong authentication only where transaction rules are violated. Rules could be like daily transaction limit, monthly limit, specific online stores, retailers you usually buy from, countries you visit frequently, retail type e.g. liquor store, bookstore, etc. If any rules are violated, additional measures like PIN, OTP, or Biometric could be requested from the user. For transactions matching the rules, it will proceed as normal without additional checks.