The value of digital transactions was projected to reach $8.49 trillion (USD) in 2022, growing annually thereafter by 12.31% to a projected $15.17 trillion (USD) by 2027. At the same time, in the online and digital payments world, a $20 billion (USD) loss due to fraud was projected.1 Digital identity, or electronic ID (eID), is one component of payments the industry is looking into to bring that number down.
Electronic forms of ID are harder to forge than the traditional version, as well as more difficult to lose and easier to use, and they provide the holder of a credential with more control over their own personal data. Globally interoperable protocols for the identification of the credential holder and authentication of their data have been lacking, but ISO/IEC 18013-5, Personal Identification – ISO-Compliant Driving License – Part 5: Mobile Driving License (mDL) Application, published in 2021, sets the minimum technical and functional requirements for eID interoperability, security and privacy, and provides a generic data model and protocols for mobile credentials, enabling:
- Secure wireless communication
- User control over what data is released
- Electronic authentication of that data
The standard was originally developed for the mDL document type, but it can also apply to many other credentials that involve complex security and privacy issues.
eIDs help provide the seamless authentication that is such an integral part of payments. Digital identity within a trusted framework helps speed authentication because if you have the right identity, you can authenticate on that identity. Thus, vendors can authenticate, they can authorize access to their services and products, tracked and traced securely.
The goal is to reduce risk and build trust. Many initiatives can help in that endeavor, including:
- Life vectors, such as date of birth
- Government-issued digital identities
- Combinations of the above
Europe is leading the effort here,2 but it should be noted that Arizona allows mDLs, and the U.S. Transportation Security Administration (TSA) accepts them as a valid form of ID to board an airplane. This fact suggests a significant amount of trust in eIDs.
What are the concerns about eIDs? The technology enabling the operational use of eIDs should facilitate both verification of the credential holder’s identity and authentication of the credential data. The technology should also be interoperable — it should work everywhere and always be available, regardless of internet connectivity. Most importantly, since sensitive personal data is involved, the technology should preserve privacy.
Several parties depend on eID proofing applications working properly for every individual in the identification session. Banks and other organizations must be able to ensure that every system in use correctly identifies and verifies the eID. Banks rely on proper identity verification to ensure that customers are who they say they are when making transactions. The primary security concern is ensuring that an eID proofing application does not allow anyone with a phony/faulty identity document to commit identity fraud. Allowing this to occur could be a liability issue as well as a brand protection one.
To ensure that eID proofing systems perform trustworthy inspections, stakeholders should first obtain a clear picture of the eID system deployed. Responsibilities for system configuration and maintenance should be clearly defined, along with who executes these activities and how often they take place. Controls on configuration, software updates, firmware updates and patches should be in place.
An ID contains your home address, your full name and other private information. Storing this private information on a mobile device raises data management concerns. Users want to know who will have access to their data and where it will be stored. Issuers and verifiers want to help ensure that the eID being presented isn’t counterfeit. Several risk mitigation methods can help ensure the security of the data for the user, issuing authority and verifier, including:
- Digitally signing the data and linking it to the issuing authority, and regularly updating these signatures
- Setting up encryption keys between the eID and the reader to prevent unauthorized access
- Supporting offline verification to prevent undesired tracking by an issuing authority
- Selective data sharing, such as a retailer needing to verify the age of the individual purchasing an age-restricted item and the user selecting only to share their photo and birthdate
eIDs face critical issues concerning the security of private information while we try to speed up the payment process. In our next payments article, we will explore how adopting real-time payment (RTP) tools is accelerating as the finance industry shifts toward global standards for financial operational systems.
1Statista Research Department, Aug. 11, 2022, Statista, internet publication, Digital Payments - Worldwide | Statista Market Forecast, FIS Global Payments Report, 2022
2German Mission in the United States https://www.germany.info/us-en/service/02-PassportsandIDCards/id-card-important-information/91786666666666666