The National Cybersecurity Center of Excellence (NCCoE) is seeking public comment on a project aimed at reducing retail fraud in the U.S. The catalyst for the project is the uptick in fraud among European retailers since the rollout of EMV chip-and-PIN (CNP) technology a decade ago.
The goal is to reduce the risk in e-commerce transactions by employing multi-factor authentication using existing web analytics and contextual risk calculation.
From the “Multifactor Authentication for e-Commerce” report:
The project process includes identifying stakeholders and systems participating in the card not present transactions, defining the interactions between the stakeholders and retailer systems, identifying mitigating security technologies, and ultimately providing an example implementation.
This use case will help retailers implement stronger authentication mechanisms (methods to ensure the card user is authorized to use the card by the card owner) for e-commerce transactions in CNP scenarios, using standards-based commercially available and open source products.
But retailers may be unenthusiastic about implementingmulti-factor authentication mechanisms for card-not-present transactions because of a “reluctance to make the buying experience too cumbersome to consumers, which might push consumers to a competitor’s e-commerce site to procure the item(s) desired,” says Bill Newhouse, senior security engineer at the NCCoE and co-author of the project report.
Public comments are being accepted through June 3. “The NCCoE adjudicates the comments one by one to see if we accept or reject the assertion, correction, or clarification being offered,” Newhouse says. “The comments can also help verify that the project has interest and that it merits continuing forward.”
The project will help produce a NIST Cybersecurity Practice Guide for the public that lays out the steps for identifying and authenticating purchasers during e-commerce transactions. “The Practice Guide demonstrates that there are existing technologies that can be composed/combined into a technical architecture that implements standards resulting in greater cybersecurity,” Newhouse says. It will also include information culled from a separate project around securing sensitive consumer data.