MasterCard's Digital Identity Verification
When you’re trying to prevent credit card fraud, one of the key challenges is answering a deceptively simple question: how do you know that the cardholder is who they say they are? In a card-present transaction, you can make use of PINs, EMV chips, and government-issued identification verified by human eyes. Online, in the card-not-present world of ecommerce, it’s less easy. Security tools can interrupt transactions to interrogate the cardholder to prove their identity, but this is an inelegant and off-putting solution. While third party solutions have done much to tame the ecommerce landscape, sometimes it takes action from the major card networks to solve the biggest challenges. Could it be that Mastercard has found an answer to the problem of verifying digital identities?
Back in March, Mastercard presented a consumer-centered framework for establishing and managing digital identity in a paper titled Restoring Trust in a Digital World. Last month, they announced their plans to begin testing a pilot program for real world applications of their model for digital identity.
A standardized global system for verifying cardholder identities could be quite the game changer where chargebacks are concerned. Not only would a better system for identity verification close up many of the authentication loopholes through which true fraud is perpetrated, it would make it much more difficult for cardholders to get away with “friendly fraud.”
Can Identity Verification Prevent Chargebacks?
Many friendly fraud disputes are escalated to chargebacks because existing identity verification methods are imprecise and leave some margin of error that allow cardholders to argue that otherwise valid-looking transactions weren’t really made by them. These suboptimal processes remain in place because merchants believe, often with good reason, that more demanding verification methods (such as two-factor authentication) lead to abandoned shopping carts and lost sales.
This leaves merchants in a catch-22 situation: tighten up verification methods and lose customers, or keep things as they are and deal with the resulting chargebacks. Mastercard is proposing nothing less than a paradigm shift in the way we handle individual identity online, and the ramifications could be huge—but as merchants who’ve survived other technological revolutions can tell you, every big change brings unintended consequences.
Will Mastercard’s vision for digital identity stop the credit card thieves and friendly fraudsters, or will it expose merchants to an entirely new set of challenges? It’s far too soon to tell, but we can take a closer look at what Mastercard has planned for their pilot program and see how the details of their new model for digital identity will impact merchants.
What is Mastercard’s Vision for Digital Identity?
Before we get into the nitty-gritty details of Mastercard’s pilot program, let’s review the guiding principles of its vision for digital identity. As outlined in Restoring Trust in a Digital World, Mastercard is starting from the premise that having control and ownership over your digital identity is a fundamental individual right.
Following from that, they determined that any workable scheme for digital identity management should be inclusive, simple and intuitive to use, confidential, and transparent. The individual should own their own digital identity and personal data, their right to confidentiality and privacy must be protected, and their consent should be sought before using or sharing their personal data.
Entities that make use of that data should practice transparency, maintain high levels of cybersecurity, and use personal data only for fair and non-discriminatory purposes. Under Mastercard’s model, individuals would have the right to access, correct, and delete their personal identity data, and would be able to choose their digital identity provider or opt out of the system entirely.
What Will the Pilot Program Involve?
The program is being launched in Australia, in cooperation with Australia Post and Deakin University. Two separate initiatives will test out the system’s functionality.
In the first phase of the rest, Deakin University used Mastercard’s digital identity verification system in their student registration process and online exams. Instead of relying on obsolete identification methods like single-factor passwords or cross-referencing numbers from government-issued ID documents, students will log in to the university’s registration and exam servers through Mastercard’s system.
In addition to this, Mastercard will be integrating their methodology with Australia Post’s existing digital ID system, giving users new options for logging in and identifying themselves in order to access postal products and services online.
Presumably, if the system works as intended and finds acceptance from users, Mastercard will expand the rollout to other markets.
But How Does This Actually Work?
The essential concept of Mastercard’s model is that digital identity resides with its owner, not in the database of some external, centralized authority.
To verify a user’s identity, the system relies upon a distributed network of trusted sources, combined with information residing in the user’s own internet-connected device, to validate that they are who they say they are. The outside sources queried might include banks, government agencies, or other participating organizations that can authenticate unique personal data.
Mastercard wants to avoid aggregating identity data—the system isn’t designed to add to an ever-increasing stack of identifying data that follows users around, but rather to minimize the amount of data that gets shared and exchanged and use only as much as is needed to verify identity. The goal is to protect the user’s privacy at every step in the process and ensure that they understand and consent to the ways in which their data will be utilized.
Mastercard’s plan looks promising, and it certainly seems to be built upon a foundation of pro-privacy values that should make it appealing to consumers. Adopting this new method of digital identity verification will not only help to reduce fraud and identity theft, it could also create a plethora of opportunities for seamless shopping and banking, streamlined account management, and greater accessibility to a wide range of online services.
Access to government systems and other online services that require a high level of security could be greatly improved, as many currently protect their users’ data by employing burdensome ad hoc identity verification procedures that many users find too much of a hassle to bother with.
Once again, we’re cautiously cheering on a big card network’s attempts at bold innovation, and we’re optimistic that if their plan takes hold, merchants will see a reduction in chargebacks and other benefits.