DSRP – The magic behind those four letters
Since you have found the way to this blog post, the assumption is that you already know a bit about the concepts of card tokenization and dynamic cryptograms and how these enhance security within payments. Contactless payments with HCE enabled devices already leverages these security concepts, but have yet to be put to use for online payments.
A google search on e- and m-commerce gives clear indications that predict a significant increase over the next couple of years. There are over three billion internet users in the world today, and it is expected to be conducted around 195 billion m-commerce transactions annually by 2019. These numbers suggest that the two security concepts mentioned above should be applied to enhance secure online shopping as well. Mastercard has introduced a solution to this called Digital Secure Remote Payment (DSRP), which is tokenization and dynamic cryptograms brought to e- and m-commerce.
Card-on-file transactions are the most common methods to perform payments when shopping online in a browser or in-app. These types of transactions use static card data (such as a PAN, expiry date, and CVC/CVV), provided by the consumer, merchant or a third-party service at the time of checkout*. The card data is combined with payment details from the merchant and then transferred to the issuer over the appropriate network for validation.
|*Card data may come from three different sources during checkout:|
|1. Consumer: Manually inputs the card data|
|2. Merchant: If the merchant is certified, the consumer can choose to store card data at the merchant after the first visit. This enables the merchant to retrieve the card data whenever the consumer is ready for checkout.|
|3. Third-party service: Consumers may create an account and store card data using services such as PayPal or a Amazon Pay. Card data will then be retrieved during checkout at merchants who have implemented this as a payment option.|
Security mechanisms (e.g., 3D-secure) are present to conduct safe and reliable online transactions. However, as it is the same static data which is sent over the network for each transaction, the vulnerability and the risk of fraud increases.
This is where tokenization and cryptograms come into play. By using dynamic cryptograms unique to each transaction, prevention of anyone re-using the transactional data applies. The generated cryptograms will only be valid for one single transaction, and can not be reused once it has been utilized.
A contributing factor to transaction vulnerability is the direct connection between the PAN and bank account. This is why substitutions with device tokens through tokenization will help reduce the risks. A device token is not affiliated with anything considered to be sensitive information, and will not be of any value to others but the schemes own token service provider. They have the property of being easily invalidated and discarded if the situation requires it.
Digital Secure Remote Payment
Digital Secure Remote Payments bring tokenization and dynamic cryptograms to online shopping in order to achieve the same level of transaction security as held through a contactless HCE transaction in-store. The transaction flow utilizes the mobile device capabilities and includes elements such as authentication, token retrieval, and cryptogram generation. Facilitating this requires the online merchant and wallet application to communicate, and both parties will need to implement the relevant APIs and SDKs from Mastercard.
All DSRP transactions need to go through the mobile device in order to retrieve the tokens, in addition to the consumer who is required to apply their mobile PIN for payment authentication. Successful authentication leads to the sending of the token and generated cryptograms from the device to the online merchant, who will process these as a substitute for card-on-file data.
DSRP brings EMV security to online payments using the consumer’s own mobile device as a point-of-sale. An intriguing part is the absence of a terminal throughout the transaction process. When it is possible to achieve the same security level without physical terminals, why do we need them in stores? An important reason is that DSRP requires the device to be online. This will obviously, not be possible everywhere, so we need them still. But who can tell what the future will bring?
If the focus is on a digital mobile strategy, the next steps will be to start with tokenization and Masterpass, which are the foundations that must be in place to achieve DSRP. Should you like to learn more about this, please do not hesitate to reach out to firstname.lastname@example.org