Since the inception of the World Wide Web, online retailers have been struggling in a continuous war against card-not-present (CNP) payment fraud. In accordance with card industry rules and guidelines, when the fraudulent purchases are disputed, the retailers almost always end up holding the bag.
Organizations spanning the payment ecosystem have attempted to help online retailers identify fraudulent transactions through the deployment of various technologies. One of the more effective technologies has been the use of multifactor authentication (MFA). Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been working on a cybersecurity project involving multifactor authentication to help retailers reduce the risk of online fraudulent purchases.
The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses' most pressing cybersecurity challenges. The NCCoE has just released draft practice guide NIST Special Publication 1800-17, Multifactor Authentication for E-Commerce.
The guide explores several risk-based scenarios that use MFA to increase assurance of purchaser identity and reduce fraudulent online purchases. Both standards and best practices were used to develop two reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.
Online retailers benefit from this by having less fraud and declining fewer good transactions. Machine-driven decisions translate to less time and effort needed by personnel to analyze transactions, which equates to significant operational savings. It also means online retailers can achieve a bigger "safety margin" from payment network fees associated with fraudulent transactions. And of course, declining fewer good transactions means increased revenue and satisfaction from genuine consumers.
# # #
RSA, along with other technology vendors, collaborated with the NCCoE on this project. The RSA team feels that the resulting guide helps meet a critical cybersecurity and economic need. The next step is to obtain feedback from the broader community. We encourage you to share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on October 22, 2018.
RSA's Adaptive Authentication Cloud was featured as an example implementation across multiple scenarios in this latest draft guide released by NCCoE. The goal of risk-based authentication is to provide online retailers with best-of-breed fraud mitigation while minimizing friction for genuine users.
* While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization's security experts can use to identify similar standards-based products that will fit within with their organization's existing tools and infrastructure.