Not too long ago, credit card fraud primarily involved the physical cloning of cards, a method that required criminals to obtain the actual card information. In response, the banking industry took significant steps to enhance security, most notably by incorporating EMV chip technology, which made it harder for fraudsters to replicate cards.
Today, however, the landscape has shifted. The rise of e-commerce has seen card-not-present (CNP) transactions skyrocket, becoming the global standard. Visa estimates that worldwide payment volume will reach a staggering US$7.3 trillion by 2025. While this shift has fuelled the digital economy, it has also opened the door to more sophisticated cybercriminal activities. Hackers now use increasingly advanced techniques to steal credentials, phish sensitive information, and drain accounts without ever needing physical access to cards.
With traditional passwords proving unreliable for authentication and one-time passwords (OTP) being increasingly ineffective against modern cyberattacks, Visa is moving towards passkeys as a solution that enhances both security and user experience.
“Visa’s overall mission is to be the best way to pay and to be paid everywhere,” said Samuel James, Senior Manager, Product Management at Visa, during his keynote speech, “Modernising Payment Authentication with Visa Payment Passkey,” at the FIDO APAC Summit 2024, held in Kuala Lumpur. “We continuously emphasise the health of the ecosystem, ensuring that payments remain as secure as possible,” James added, outlining the company’s broader strategy for combating rising fraud.
Authentication upgrade
Traditionally, the four-party card model in the payment ecosystem comprised the merchant, the acquirer, the issuer, and the cardholder. At first, authentication methods relied on static passwords under the EMV 3-D Secure 1.0 standard. However, over time, the industry adopted stronger measures, including biometrics and two-factor authentication, in later iterations to enhance security.
“This development introduced some critical changes, including the ability for the issuer to improve authentication without requiring the cardholder to take any additional steps,” James explained. “Essentially, issuers can analyse all the data related to a transaction and approve it based on their own risk assessment.”
Visa, however, found biometrics to be a significantly more secure authentication method, reducing fraud rates by 50% compared to SMS OTP. To address evolving fraud challenges, the company developed Visa Payment Passkey, which leverages Fast Identity Online 2 (FIDO2) standards. This feature requires a one-time consumer set-up to bind their device to their Visa credentials. Once activated, Visa Payment Passkey allows consumers to authenticate transactions when checking out at participating merchants.
“If you are shopping with multiple credit cards on one phone, you would typically need to register each card separately,” James pointed out. “But for that one card and that one device, Visa Payment Passkey is now interoperable. You can opt in to set it up, then you’re redirected to the Visa domain for registration, and once that’s complete, the system works across all merchants. You verify your basic device, check there, and then that’s it.”
Seamless experience
Traditionally, consumers would have to re-enter their payment credentials for every e-commerce platform they used, creating a repetitive and often cumbersome process. However, with Visa’s passkey, consumers can authenticate payments using their biometrics. This significantly streamlines the process, James remarked.
“We believe that this process will reduce the load on everyone, improve the process, and increase successful transaction rates,” he said.
In addition, Visa’s customers have expressed a preference for not being overly stringent with anti-fraud measures, as they can sometimes prevent legitimate transactions from going through.
“We’re actively working with our partners to implement solutions that will help mitigate challenges in the e-commerce space. We want to lower friction as much as possible, increase those optimisation rates, and just keep the consumer experience as seamless as possible,”James noted.
Some key features of the Visa Payment Passkey include the following:
- Improved checkout experience: A robust, device-based payment authentication method that requires a single consumer registration and is enabled across all participating merchants.
- Integrated with Visa solutions: Features guest checkout via Cardinal Consumer Authentication, the new standard for online checkout from Click to Pay, and an upcoming integration with Visa Token Service for secure card-on-file payments.
- Robust compliance: Offers strong customer authentication, compatible with EMV 3-D Secure (3DS), and helps businesses meet PSD2 SCA requirements in the EU.
Protecting the ecosystem
Ultimately, it’s about ensuring that all participants within the payment ecosystem — merchants, payment providers, and consumers — maintain a healthy and effective working relationship. It’s also crucial to strike a delicate balance between implementing robust fraud prevention measures and delivering an optimal customer experience, ensuring that security does not come at the expense of convenience.
“We believe that this initiative will deliver significant benefits to the full extent of the ecosystem, especially for the consumers. It should be a friction-reducing effort, with the aim of making the shopping experience more convenient,” James concluded.