EMVCo publishes security requirements for MFA payment solutions

EMVCo has released security requirements to support the development of multi-factor authentication (MFA) solutions capable of preventing or detecting attacks that could compromise the security of payment authentication. The "multi-factor authentication solutions for payments security requirements" document is publicly available from the EMVCo website. 

MFA is an authentication method that requires the payee to provide two or more factors to confirm their identity. There are three types of authentication factors: "knowledge" (things know), such as a PIN or password; "possession" (things have), such as a smartphone; and "inherence" (things are) such as biometrics.

MFA solutions

As the use of MFA solutions in payments increases, EMVCo has defined a set of security requirements for MFA solutions to address the security threats that could compromise the security of those solutions.

The work leverages EMVCo’s existing Security Evaluation Infrastructure, enabling solution providers to test their products and demonstrate that they meet payment industry expectations.

Author's quote

EMVCo recognises that MFA plays a crucial role in not only achieving this"

“As remote payments continue to gain traction, such as e-commerce transactions, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions,” explains Joy Huang, Chair of the EMVCo Executive Committee.

He adds, “EMVCo recognises that MFA plays a crucial role in not only achieving this, but also giving the industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.”

MFA security requirements

EMVCo MFA security requirements support: 

• Developers of MFA solutions for payments, to enable them to gain security evaluation certificates for their product components and solutions.
• Testing laboratories, to offer a clear evaluation process.
• Merchants, acquirers, and payment service providers, share valuable and practical information on security performance characteristics and the "suitability" of MFA products. 

EMVCo’s laboratory network

Optimising EMVCo’s expertise and framework is an effective way to address this issue"

Huang adds: “It is vital to recognise why this is important – the evaluation process essentially works to assist developers in preventing and protecting against attacks using their devices or infrastructure, which could adversely impact other payment participants."

He adds, "Optimising EMVCo’s expertise and framework is an effective way to address this issue. EMVCo MFA Security Requirements builds on an established and proven infrastructure offering vendors access to EMVCo’s laboratory network to achieve the standards needed to protect consumers and the wider payments ecosystem.”

Security evaluation process

EMVCo MFA Security Requirements cover payment authenticators used in a variety of consumer devices, including smartphones, laptops, vehicles, and IoT devices. 

The supporting security evaluation processes test software and hardware components involved in the collection, processing, storage, transmission, and verification of data used for authentication during payment use cases.