Consumers are increasingly choosing to authenticate payment transactions using their own device. In this Q&A post, Jianhua Ni, Chair of EMVCo’s CDCVM Task Force, explains how EMVCo is addressing the increasing popularity of Consumer Device Cardholder Verification Methods (CDCVM) and working to promote security, reliability and convenience.
Firstly, what is a Consumer Device Cardholder Verification Method (CDCVM)?
Jianhua Ni: A Cardholder Verification Method (CVM) is used to confirm whether the person presenting a payment card is the legitimate cardholder. When an individual enters a PIN or signs their name to authorise a transaction, they are providing a CVM.
Now, the growing use of mobile devices for payments has enabled consumer authentication to be performed on the consumer’s own device via passcodes, passwords and patterns, as well as biometrics such as fingerprint, iris, voice and facial recognition.
This type of authentication on a consumer device is known as a Consumer Device Cardholder Verification Method (CDCVM). Technologies that enable CDCVM are called CDCVM solutions.
Why is EMVCo involved in this area and what activity is it undertaking?
Jianhua Ni: EMVCo is working to promote confidence and consistency by identifying and addressing specific security, functional and performance needs required for CDCVM solutions.
To prevent fraud, it is imperative that CDCVM solution assets (such as a user’s biometric or passcode) are adequately secured. Also, results must not be manipulated, falsified or exploited, and the solution must not be maliciously abused, disabled or bypassed. To support these objectives, EMVCo has published EMV® CDCVM Security Requirements and has established a Security Evaluation Process to help ensure CDCVM solutions maintain robust security and can withstand known attacks.
To promote a consistent user experience and global interoperability, EMVCo has also proposed industry best-practices to address key functional and performance considerations. This includes considerations like the recommended length of passwords and passcodes, capture points for patterns, and the number and frequency of incorrect authentication attempts.
The best-practice guidelines also include high-level biometric performance objectives to address false acceptance, false rejections and imposter attacks.
What other challenges is EMVCo working to address related to CDCVM?
Jianhua Ni: We know that CDCVM presents more complexity and variability than traditional CVM.
Unlike an online PIN, a CDCVM cannot be seen by the issuer. CDCVM solutions can use various components and functions on a device and can be used across many consumer devices manufactured by different original equipment manufacturers (OEMs) and deployed across many markets.
Put simply, this can make it more difficult for issuers to identify the precise CDCVM used for a particular payment transaction.
This has highlighted the need to provide more information about a CDCVM solution used during a transaction to enable issuers to make better-informed authentication and authorisation decisions for payments conducted on consumer devices.
To address this challenge, EMVCo is piloting a way to enable issuers and other participants to better identify CDCVM solutions – the EMV® CDCVM Solution ID and Database.
What is the EMV® CDCVM Solution ID and Database?
Jianhua Ni: Each registered CDCVM solution is assigned a unique, short identifier known as an EMV® CDCVM Solution ID, together with a set of related metadata of the CDCVM solutions being entered and maintained in the database.
This will allow a single value to be communicated to issuers, enabling them (or a service provider acting on their behalf) to access the CDCVM solution-related metadata.
What type of information will be registered in the Database?
Jianhua Ni: The CDCVM Database will include information such as CDCVM Solution Name, Solution Provider, Solution Type, Operating System (OS) and other data which may help to identify the CDCVM used during a transaction.
What are the industry benefits of the EMV® CDCVM Solution ID and Database?
Jianhua Ni: By accessing the Solution Database, Solution ID users such as issuers, acquirers, merchants and token service providers (TSPs) can build more accurate risk profiles for use during transaction authentication and authorisation. This is because it is easier to identify and analyse the integrity of the precise CDCVM used for a particular payment transaction.
It can also support innovation by CDCVM Solution Providers such as device manufacturers, OS and platform providers, and mobile application providers to support the broader industry adoption of CDCVM solutions.
What are the benefits of the pilot and how can organisations participate?
Jianhua Ni: Participating in the pilot provides the opportunity to test and provide input to the Database processes, integrate with the Database to test how it may be used in practice, and to refine the data which is collected in order to optimise its usefulness in risk analysis decisions.
To learn more and find out how you can get involved, contact the CDCVM Secretariat at firstname.lastname@example.org
Is EMVCo working with other industry bodies on CDCVM?
Jianhua Ni: Yes. EMVCo has collaborated with GlobalPlatform to simplify and bring greater trust to the authentication of digital services on smartphones and biometric-enabled cards. Originally established within EMVCo, the GlobalPlatform Secure Element Broker Interface will promote security and interoperability for mobile service providers and original equipment manufacturers across multiple sectors, delivering convenience, simplicity and familiarity to consumers. This activity came after EMVCo’s initial work demonstrated clear utility beyond payments.
In addition, EMVCo has been collaborating with the FIDO Alliance since 2016 focusing on how FIDO authentication standards can support EMV® payment use cases across all areas of EMVCo activity. EMVCo continues to work closely with the FIDO Alliance to ensure the FIDO Biometric Certification programme covers EMVCo’s performance requirements for CDCVM.