Overview
PLUSCARD, a full-service processor for 140 financial institutions across Germany, worked with Entersekt and its partner Netcetera to launch the first FIDO Certified alternative to app-based authentication in Europe in June 2021. The solution gives customers the option to use FIDO2 Security Keys to authenticate themselves for payments with online merchants leveraging the latest EMV 3DS protocol.
The Challenge: Authenticating without a mobile device
PLUSCARD needed a way to authenticate customers for online transactions without relying on a mobile device that also aligned with PSD2 regulations for security and usability.
Every online payment that must be authenticated by PLUSCARD requires a verification of whether the account or card data were entered by the legitimate cardholder. Various methods exist that prove the identity of shoppers online, however most require the use of a mobile app. For customers that do not have a mobile device or prefer to make payments via a laptop or computer, there are very few secure alternatives available.
Company Profiles
PLUSCARD:
Full-service processor for 140 financial institutions across Germany
Netcetera:
Market leader for digital payment solutions
Entersekt:
Specialist in strong customer authentication
“You won’t necessarily attract customers with good authentication, but you definitely won’t lose any because of it.”
– Petra Silsbee, Head of Department, Prevention/Dispute Management, PLUSCARD
The Road to FIDO: Weighing PSD2-compliant options
Customer authentication procedures have become more complex in the EU due to the introduction of PSD2 and strong customer authentication (SCA). Under the regulation, processing via mobile devices guarantees compliance with the stricter requirements, while offering a better payment experience for consumers at the same time.
While many opted to use SMS OTPs, PLUSCARD prioritized security and usability from the beginning of their journey by initially opting for a proprietary mobile app in combination with biometrics. This met their needs for mobile-based users, but left a gap for customers who preferred or only had access to computers. To fill that gap, PLUSCARD concluded that FIDO2 Security Keys not only met regulations, but they weren’t tied to possession of a mobile device and excelled in both security and usability.
PLUSCARD also saw an opportunity to provide its customers with a consistent authentication and payment journey with FIDO. Not only can customers use their FIDO Security Keys to log into other common services like Google, Github and Twitter, they can now also use them to log into their account and pay — all within one shopping experience.
FIDO2 Implementation: Today and in the future
PLUSCARD, with Entersekt and Netcetera, implemented the FIDO standard in their joint solution.
Entersekt provides a FIDO server into the solution, which is certified by the FIDO Alliance. PLUSCARD’s cardholders can then register their FIDO Security Key with their bank. The security key is then linked to the customer’s credit card and can then be used to easily authenticate their online transactions at online merchants that have implemented EMV 3DS.
This works at any online merchant that has implemented the latest version of EMV 3DS. However, there are challenges with those merchants that have not yet updated to the newest version.
FIDO2 is a set of strong authentication standards that enables users to leverage common devices like on-device biometrics and FIDO security keys to authenticate to online services with phishing-resistant cryptographic security. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
“Authentication is not a one-time investment — it’s a journey,” said Petra Silsbee, Head of Department, Dispute Management, at PLUSCARD.
As more merchants are implementing the latest version of EMV 3DS, which supports FIDO authentication, they will be able to work FIDO into their checkout authentication process. With broader adoption on the horizon, PLUSCARD is looking to replace their proprietary mobile app with a FIDO-based on-device authentication option.
A Valuable Lesson Learned
“Authentication is not a one-time investment — it’s a journey,” said Petra Silsbee, Head of Department, Dispute Management, at PLUSCARD. “The goal isn’t just to comply with regulations and requirements, but to provide the best service and experience for customers. Be curious about the solutions available, ask questions, and don’t be afraid to start fresh if a previous investment isn’t meeting your needs and expectations.”
