Payment giants Visa and MasterCard announced plans to eliminate the need for password authentication in the companies’ respective “Verified by Visa” and “SecureCode” payment platforms which are designed to add an additional layer of security to online transactions.
In a press release, MasterCard announced that ultimate goal of an upgraded 3D Secure system, set to replace the current system next year, will rely on “richer cardholder data” in order to limit password interruptions in the payment process. In the event that an authentication challenge is required, MasterCard says it plans to replace static, memorized passwords with one-time passwords and fingerprint biometrics. MasterCard is also sponsoring commercial tests to design facial and voice recognition applications for use as authenticators in the future as well as a wristband that authenticates via cardiac rhythm.
Threatpost reached out to MasterCard for clarification on what the company means by “richer cardholder data” but did not hear back by the time of publication.
3D Secure is a card-not-present payment protocol developed Visa and adopted by a number of other payment card companies. It was designed to curb the growing problem of fraudulent purchases being made online. When a Verified by Visa or SecureCode user enters her card information to an online merchant, the merchant then sends that payment data to Visa or MasterCard. The payment company replies with an iframe that presents the user with an additional password-based authentication form. If the customer enters the correct password, the merchant receives an authorization code to proceed with the transaction.
However, the 3D Secure protocol has been criticized for requiring users to remember yet another complicated password as well as for its user interface, which has been mistaken for a phishing scheme.
“All of us want a payment experience that is safe as well as simple, not one or the other,” said Ajay Bhalla, president of enterprise security solutions at MasterCard. “We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”