Reference Design to Help Online Retailers Improve Security of Card-Not-Present Transactions
Callsign, CA Technologies, Rivetz, RSA, Splunk, TokenOne, and Yubico, have joined the National Cybersecurity Center of Excellence (NCCoE) as technology collaborators in the Multifactor Authentication (MFA) for e-Commerce project.* In response to a call in the Federal Register, these companies submitted capabilities that aligned with desired solution characteristics listed in the project description. These technology collaborators were extended a Cooperative Research and Development Agreement (CRADA; see example) enabling them to participate in a consortium where they will contribute expertise and hardware or software to help refine a reference design and build an example standards-based implementation. This collaboration will result in a publicly available Cybersecurity Practice Guide (NIST Special Publication 1800 series) that will document the reference design that online retailers can implement to reduce fraudulent online purchases.
Consumer/Retail Challenge: Ensuring Online Purchaser Identity
When chip-and-PIN technology increased security at the point of sale (POS) in the UK and Europe ten years ago, malicious actors turned to e-commerce fraud. As retailers in the United States implement POS security measures, there may be a similar increase in fraudulent, card-not-present (CNP) e-commerce transactions. Consumers, retailers, payment processors, banks, and card issuers are all impacted by fraud. Part of e-commerce fraud reduction includes an increased level of assurance in purchaser or user identity.
Retailers recognize that customers could be put off by the complexity that multifactor authentication mechanisms may add to the purchasing checkout and post transaction processes. As such, the NCCoE laboratory build will explore different methods to challenge a consumer to provide multifactor authentication (MFA) when risk calculations and data analytics (such as transaction and navigation details, behavioral web session monitoring, and device identification) identify that fraud may be occurring. Multiple forms of multifactor authenticators, such as FIDO, out-of-band, and one-time-password devices will be considered to provide retailers and their customers a diverse set of implementation options. All products incorporated into the reference design will be standards-based commercially available and open source products.
Collaborating on an Innovative Strategy
The NCCoE worked closely with retail organizations and other e-commerce payment stakeholders to develop a standards-based reference design implementing MFA tied to existing web analytics and contextual risk calculation to increase assurance in purchaser or user identity.
In partnership with the technology collaborators, the NCCoE will build the reference design in a lab environment. The following diagram depicts the reference design’s high-level architecture.
How to Participate
The NCCoE anticipates attending and presenting our MFA for e-Commerce project at the PCI North America Community Meeting on September 13, 2017. Interested parties are encouraged to engage with us at this event or through our project web page.
If you have additional comments, questions, or would like to join the Community of Interest helping to guide this project and provide feedback, please email us at email@example.com.
*Certain commercial entities, equipment, products, or materials may be identified in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.