In short order, Mastercard, Visa and now Amex have made rapid strikes designed to not only bolster identity protection for online commerce, but to make that protection nearly invisible to the consumer.
Amex on Tuesday announced it has acquired InAuth, a mobile device authentication company that counts some of the largest banks, financial institutions, payment networks and merchants among its clients.
"It's not just the transaction that we're protecting. It's the device, the mobile phone, laptop and iPad, based on the characteristics of the device," said Anre Williams, president of the global merchant services and loyalty group at American Express.
Amex already uses InAuth's technology as part of fraud management alongside and in concert with SafeKey, Enhanced Authorization and Accertify, and plans to develop InAuth's reach as part of Amex's broader umbrella. InAuth will be a freestanding operation that's part of Amex, and will be able to expand its customer base, Williams said.
"We are global and that will help them grow faster," Williams said.
The expansion will accommodate a broader move away from plastic card transactions toward payments originated from smartphones and other connected devices. Amex reports 70% of merchants have experienced an increase in sales through online and mobile channels over the previous year and 60% have reported fraud from online and mobile sales.
Meeting these two disparate challenges has caused the card companies to make substantial additions to their security offerings. In just the past few days,
The goal in all cases is to turn ID security into more of a sophisticated scalpel that trims through data and devices to spot suspicious use, rather than a sledge hammer that requires more user ID steps from everyone in the name of reversing
An "invisible" layer of defence is becoming increasingly important, said Zil Bareisis, a senior analyst at Celent. "In other words, customer experience should be secure, but as frictionless as possible with technology helping financial institutions to assess transaction risk in the background."
This risk is designed to answer questions such as "does this transaction come from an unknown device? Or Is it an unusual purchase or request?," Bareisis said. "Device fingerprinting, use of contextual data such as geolocation and risk-based analytics are all techniques that the financial institutions can deploy to determine when and how to challenge the customer. However, all of this will not be effective without strong binding of customer identity to the device in the first place."
The addition of device ID is practically invisible to the user, Amex's Williams said.
"This changes nothing for the user," Williams said. "You use your mobile phone to log into your banking app, and [the bank] can see what device you are using...and if you are coming from the same device or a device it has never seen before. InAuth makes the bank aware of that to help vetting. And it happens early in the process, right when a consumer connects to the website."
Device ID is also designed to protect a specific type of fraud that targets computing devices.
"Payment companies want to avoid remote phone takeover," said Avivah Litan, a vice president at Gartner, adding remote account takeover has been prevalent in the PC world. "We are already seeing mobile fraud and account takeover escalate, as transactions continually increase on the mobile channel."
There's added competitive pressure, since since banks need to respond to user experience provided by e-commerce disruptors, which are rapidly upping their
"Consumers’ expectations for commerce have been shaped by the elegant and easy user experience put forth by Amazon and Apple, and that has set the new bar of expectations that the networks, banks, and merchants need to meet," said Julie Conroy, a research director at Aite Group. "As I talk to executives at banks, payment networks, and merchants, all are trying to find solutions that help them bring more security to transactions while not disrupting the customer experience."
