Securing Online Transactions with eID & eIDAS
Credit cards and the internet may have a long history together, but credit card purchases are far from the only financial or contractual transactions that can be carried out online. There are established protocols for carrying out secure card payments, but the rules and conventions for other practices aren’t always as clearly defined.
In the EU, the eID and eIDAS regulations provide the guidelines for dealing with contracts, fund transfers, official documents, and other transactions that fall under the category of trust services. What are eID and eIDAS, and how are they being used to ensure safe and secure online transactions?
Over the past year, many transactions, deals, and agreements that would have been hammered out and signed in-person were forced to take place in contactless online environments.
Our increasing reliance on digital contracts and electronic signatures has only served to emphasize the importance of having reliable, consistent ways to identify the parties involved and verify that they are exactly why they claim to be.
Some of the ad hoc or proprietary solutions created to meet this need may be able to fulfill the basic requirements, but they are not always designed to be interoperable with multiple document platforms.
The EU often shows a willingness to take a leading role in coming up with a regulatory response to online privacy and security issues, providing a framework for other markets to follow. In this case, the EU’s answer to security and authenticity concerns pertaining to online documents, signatures, and other trust issues is Electronic Identification (eID) and Electronic Identification, Authentication and Trust Services (eIDAS).
What is eID?
The goal of the EU’s eID regulation is to create a system in which EU citizens’ electronic identification can be used across national borders, in any member country. In other words, if you’re a citizen of Denmark and you set up an electronic ID, you can use that same ID if you end up moving to France and needing to engage in trust activities in that country.
An eID is meant to carry the same legal weight as any physical identification document, providing a high degree of confidence that the individual has been sufficiently authenticated to greatly reduce the risk of identity theft and fraud.
eID and eIDAS regulations took effect in 2014, and by 2018 all EU states were required to recognize each other’s implementations of eID.
Applying for an eID may be up to the individual, but there are plenty of incentives for doing so—such as the ability to register for government services online—but the responsibility for complying with these regulations at the transaction level falls on merchants and businesses who fall under the category of trust services providers.
What is a Trust Service Provider?
In this regulatory context, a trust service provider is any individual or organization who provides services that are intended to safeguard electronic data, transmit it securely, and confirm that it has not been altered or misrepresented.
Typically, this involves the creation of digital certificates combined with some way of validating electronic signatures. DocuSign, for example, is a trust service provider widely used in U.S. markets.
Complying with eID and eIDAS regulations allows trust service providers to validate identities with official, government-backed electronic identification that remains consistent across all EU borders.
What is eIDAS?
It’s one thing to have a secure and consistent form of electronic identification, but you still need a framework for utilizing and properly authenticating it when conducting online transactions. This is what the eIDAS regulations cover, by laying out rules for handling electronic signatures, digital certificates, website authentication certificates, time stamps, seals, and other resources that trust services use to validate identities and documents.
With eIDAS, the processes needed to authenticate and sign documents online are streamlined for the user without sacrificing security, transparency, or interoperability.
For example, one provision of eIDAS allows individuals to use video to fulfill what had previously been face-to-face identity verification requirements. This was especially helpful during a year of pandemic precautions and social distancing, but at any other time it still lets users avoid time-consuming and inconvenient in-person registration visits.
How do eID and eIDAS Prevent Fraud?
While it’s important to note that many fraudsters still rely on social engineering, manipulation, and other low-tech deceptions, it’s hard to overstate the benefits of a transparent, flexible, yet uniform system for managing a consistent electronic ID across all of the different trust services an individual might need to access.
Consider a user who has multiple electronic IDs for their personal bank, their mortgage lender, and the state office from which they receive services. Each ID represents a separate point of vulnerability that can be breached and mined for compromising data, and the user has to monitor and update each ID individually. As to whether or not each platform is upholding the latest standards in security, there may be no easy way for the user to tell.
By their very nature, systems like eID require strong centralized backing and some regulatory muscle in order to be effective. It’s hard to say when or if frameworks like eID and eIDAS will take hold outside of the EU, but in the meantime they’re providing an instructive example for trust service providers everywhere.
The eID and eIDAS regulations are designed for contracts and other transactions that fall outside of the realm of payment card transactions, which means that most retail merchants are unaffected by these issues and have bigger concerns on their plate—things like credit card fraud and chargebacks. While eID and eIDAS may work to prevent identity theft and other forms of fraud, they’re not going to have an impact on anyone’s chargeback rate.
Nevertheless, issues of online trust and identity are intertwined, and the lessons learned from fighting fraud in one arena can sometimes translate into beneficial practices elsewhere.
As always, it’s worth taking a close look at the EU’s proactive approach to online privacy and security issues to see how well they’re working and what challenges they might face.