NCCoE, part of the National Institute of Standards and Technology, began researching new guidelines for online commerce after the implementation of EMV credit card technology became more common in the United States. Most cards now include embedded electronic chips, making them more difficult to counterfeit and sending malicious actors online instead. They have released a draft practice guide and expect to post a final in June, the guide is designed to help prevent credential stuffing and account takeovers, as well as remedy vulnerabilities such as failure to lock out users who enter multiple incorrect passwords.
The practice guide contains two scenarios that retailers can follow to implement multifactor authentication when a shopper exceeds expected cost thresholds and spends an uncharacteristic amount of money, or when the shopper triggers a risk engine by using an unfamiliar computer or logging in from an unfamiliar location. In most cases, a shopper would plug a physical, USB-based authentication key into his or her device as the second identification factor; someone who had the credit card data but not the key would not be allowed to proceed further.
The retail industry is open to additional measures to prevent misuse of credit card data online, but would like those measures to be “universal, industrywide practices” with open standards, rather than measures that can only be used through a partnership with the company that creates them. No matter the means of security, added protection could be a way for a retailer to differentiate itself in the market.
Read more at: BizTech