Global card network provider Visa aims to phase out the twofactor authentication (2FA) process on routine card transactions during digital checkouts and replace the scrutiny layer with a riskbased prompt, where transactions deemed unusual or risky by banks would be vetted through a One Time Password (OTP) check.
For this, Visa plans to hold discussions with domestic regulators, and its banking partners on how over time the 2FA norms can be relaxed and brought in line with global best practices, a top company executive told ET. This has been highlighted in the California-based network operator’s multi-prong security roadmap for its Asia Pacific markets for enhancing resilience of digital payments. “We think 2FA is important but what we think is even better is using 2FA in a risk-based manner,” said Joe Cunningham, head of risk, Asia Pacific, Visa. “The real growth of our industry is happening through the ecommerce space. To give consumers a wonderful experience some friction needs to be removed.”
Typically, transactions through debit and credit cards on these platforms are authenticated through two security layer process known as the 2FA. The first clearance happens once the consumer reconciles card details for which the card CVV and expiry date is sought. The second step of authentication happens through a password based vetting typically through an OTP, which Visa feels is not necessary for all transactions as most of them are “routine.”
The alternative proposed is a risk based monitoring of transactions through a data vetting standard called EMV 3D secure, which have been adopted in several countries over the recent years, including Singapore and Australia. “If you take a risk-based approach, the vast majority of transactions will go through seamlessly as most are low risk and are typically low value and from an IP address you know very well,” said Cunningham.
“We should allow these transactions to flow more fluidly and encourage the adoption of digital payments and ecommerce; only in cases where our clients (banks) deem these transactions to be a prior risk then a prompt is required for an extra factor authentication.”
Leave a Reply