Credit Card Payment Security: adding 3D Secure SDK for Merpay iOS

Transcript

1. Credit Card Payment Security: adding 3D Secure SDK for Merpay

   iOS Mikael LE GOFF iOS Engineer , Merpay

2. Mikael / @mikael iOS Engineer , Merpay Focused on iOS

   development starting with Objective-C. Passionate about Fintech and teamwork, joined Merpay in 2019 and now spends his energy on providing the best user experience for Merpay+Mercari iOS users. He is also passionate about project management and as a scrum master, helps teams to achieve their best results when necessary.

3. 3D Secure 01 What is 3D Secure? 02 Problem we

   needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details

4. What is 3D Secure? The 3D Secure protocol is aimed

   at securing authentication in both browser-based apps and mobile-based apps for online payment. 3D means here the 3 domains: Issuer, Interoperability, Acquirer Issuer Domain Interoperability Domain Acquirer Domain the bank and the merchant to which the money is being paid infrastructure provided by the card scheme, credit, debit, prepaid or other types of a payment card, to support the 3-D Secure protocol the card issuer

5. What is 3D Secure? A bit of history: - 1999:

   Created by Celo Communications AB (Now Thales Group) under the name “p42” - 2001: Improved by Arcot Systems and Visa Inc under the new name “Visa Secure” - 2016: Release of the version 2 of the protocol by EMVCo in order to comply with new EU authentication requirements

6. What is 3D Secure? How does it work? １ ２

   ３ A user will try to buy goods with a credit card The 3DS system will estimate the transaction risk The user might be asked to input a one time password in order to proceed with his purchase

7. What is 3D Secure? 3DS usage worldwide Second half 2021

8. 3D Secure 01 What is 3D Secure? 02 Problem we

   needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details

9. Problem we needed to solve Stolen credit cards shouldn’t be

   usable in our product There are many ways to steal a credit card. It could be done offline or online. - offline: people could take a picture of your credit card. - online: your credit card information could be leaked following a hack.

10. Problem we needed to solve A scenario example without 3D

    Secure. (Note that 100% of our transactions are now using 3DS) user A will have his credit card stolen user B will try to buy an item on Mercari with the stolen credit card without 3D Secure, Mercari had no way to know that the card was stolen and proceeded with the purchase １ ２ ３

11. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details

12. How to identify security risks? During a purchase on Mercari,

    we ask ourselves: • Is the item at high risk of being bought by fraudulent users? • What are the risks the credit card was stolen? We can estimate the probability of fraudulent purchases thanks to Anti Money Laundering systems but we also want to make sure that only the owner of the credit card can use it for payment. We use 3DS to assess the risk of a card transaction. Mercari checkout screen

13. How to identify security risks? 3DS can judge a card

    transaction and return a risk level: Frictionless password is required Transaction refused Low Medium High

14. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details

15. Security and trust using 3DS SDK for iOS By adding

    3D Secure SDK to our client applications, we bring more trust to our users by making sure that, only the real owner of the credit card can use it on our platform. - If somebody stole your credit card, he won’t be able to use it on Mercari. - If a buyer tries to purchase your items with a stolen credit card, he will be stopped. Credit card

16. Security and trust using 3DS SDK for iOS What is

    the 3DS requested password? - The password is often a one-time password (OTP) provided by your credit card issuer. - It means that you will be requested a new password for every medium risk transaction made. - Usually, credit card issuers will simply send you an OTP by SMS to your personal phone number.

17. 3D Secure 01 What is 3D Secure? 02 Problem we

    needed to solve 03 How to identify security risks 04 Security and trust using 3DS SDK for iOS 05 Implementation details

18. Implementation details After confirmation of a credit card payment request,

    we can show a 3D Secure modal from the 3DS SDK. You will be asked for your credit card OTP in order to proceed with the purchase. Other flows lead to a successful frictionless payment or refused payment. Mercari checkout screen 3DS password check screen

19. Implementation details We worked with partners to achieve the integration.

    Merpay iOS App 3DS SDK Visa Amex … Partner Merpay Backend

20. Implementation details Merpay iOS App 3DS SDK Adding a new

    SDK to our codebase: - We need to make sure it won’t impact our performances, security and app binary size. - The SDK also needed to be a xcframework (mandatory since Xcode 12) in order to support the transition to M1 arm 64 architecture. - The SDK can also be updated. - It should not impact previous mercari versions - An abstraction layer using swift protocols on client side is useful for future developments (ex:It allows testing with a Mock 3DS SDK).

21. implementation details difficulties 1/2 Bug fixing on both sides Merpay

    and Partners • Because of the system complexity, bugs were found. It was necessary to debug, based on the SDK logs, with our partners in order to identify the source of a problem (in-house code or 3DS SDK) ◦ This requires a deep understanding of the SDK specifications ◦ A preparation of the key data before each meeting in order to be efficient ◦ Use simple and efficient English to help understand the topics and being more inclusive Legacy support • At Merpay, we use Feature Flags in order to deliver new features and do A/B testing. ◦ This allows releasing new features by small increments (ex: 10% of users first) ◦ But this increases the complexity of the code and requires non-regression testing by QA.

22. implementation details difficulties 2/2 Quality Assurance • The system is

    complex and depends on many credit card issuers who present their portal through the 3DS SDK. • For each software iteration, our QA had to check the legacy and new flows including testing the different card issuers scenarios. Improving UX with our partners: • UX is important. Over the months, we worked with our partners to reach a great Mercari user experience. ◦ We added self explanatory error feedbacks ◦ We updated our payment flow in case of 3DS errors ◦ Discussed OS-specific user interactions as we also have an Android implementation (ex: On Android, a new activity is shown, on iOS, a page sheet is presented)

23. Credits to the team. We worked for months all together…

    Project Manager, Android Engineers, UX Designers, Backend Engineers and our great partners to bring this project to life. Thank you.

24. Links • The latest 3D Secure specification is made by

    EMVCo, LLC. ◦ https://www.emvco.com/terms-of-use/?u=wp-conten t/uploads/documents/EMVCo_3DS_SdkSpec_210_1017 -1.pdf • Data related to 3DS usage in the world ◦ https://www.ravelin.com/global-payment-regulation- map
25. None