Mobile
IDentity
Authentication
Standard

Mission statement

The MIDAS alliance is a global membership organisation that represents key stakeholders in the information security community. Our primary aim is to promote innovation through collaboration by creating an arena for knowledge sharing to help bridge the gap between the Regulatory and Industry outlook on preventing security breaches.

What is MIDAS (Mobile Identity Authentication Standard) and why is there a need to create a MIDAS alliance?

New Security standards go way beyond anything on the market currently, and there needs to be understanding of the strictures that the industry will need to adhere to. The MIDAS Alliance will help develop payments standards to provide solutions for simple processes to prevent online fraud.

MIDAS in the US

With the forthcoming US migration over to EMV, both directly for credit card payments and indirectly as a model for access to online public services, it makes sense for the US solutions market to consider the lessons learned from other advanced economies that have had experience of EMV for over a decade.

As President Obama and United Kingdom Prime Minister Cameron announced in January 2015, the US and UK will share lessons from their respective experiences in Cyber Security, including security of payments.

The lessons of EMV implementation in the UK were not so much a dramatic fall in credit card fraud overall, but the displacement of the fraud from ‘card present’ to ‘card not present’, via primarily online transactions. These EMV experiences led to a change in how other international Regulators viewed the solution to preventing online fraud, which can be expected to migrate to the US market.

Initiating technology that addresses these far reaching requirements is at the very heart of the MIDAS Alliance.

Why is there an imminent need for MIDAS and a MIDAS alliance?

There are regulatory drivers that are making a MIDAS alliance solution very relevant starting from as early as August 2015. SecuRe Pay, the new European Banking Authority (EBA) standard as set out in the PSD2 is very strict in its expectations of significant improvements that must be made for all future internet payments solutions. SecuRe Pay sets out a number of minimum expectations that must be met that are more than the current payment models can satisfy. The two most relevant aspects that Secure Pay expects to be developed are the ability for any transactional information to be;

  1. Anonymous and
  2. Irrelevant if stolen.

The European Banking Authority (EBA) published its final Guidelines on the security of internet payments in December 2014, which set the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015. Concerned about the increase in frauds related to internet payments, the EBA decided that the implementation of a more secure framework for internet payments across the EU was needed. These Guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay).

The EBA issued the final guidelines in November 2014, including the newly revised definition of ‘Strong Authentication’ required, with an implementation date of 1 August 2015, and the implementation of any potentially more stringent requirements under the PSD 2 at a later stage. These reaffirm the primacy of multi-factor authentication, as has long been understood by the security solution industry, but also introduce a number of additional tenets.

Following the ratification of eIDAS and the publication of these final SecuRe Pay guidelines in late 2014, members of the cards and payments community came together with specialist security researchers to try better to understand how compliant solutions could be effectively operated. From these early discussions the MIDAS Alliance was born.

IT IS THERFORE ESSENTIAL THAT FINANCIAL SERVICES ORGANISATIONS SHOULD START TALKING ABOUT CREATING THE NEXT GENERATION STANDARD THAT SHOULD MEET THESE NEW REGULATORY REQUIREMENTS.

What are the minimum requirements of SecuRe Pay that are most relevant for MIDAS:

The full 42 page guidance is available at: https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+(Guidelines+on+the+security+of+internet+payments).pdf

The changes to its definition of Strong Authentication are of the greatest relevance to MIDAS:

Definition of Strong Authentication – SecuRe Pay mandates multi-factor authentication, but in addition it also brings in some interesting caveats as to how they are handled, so that the factors;

  1. Must be mutually independent, i.e. the breach of one does not compromise the other(s);
  2. Should be non-reusable and non-replicable (except for inherence);
  3. Designed in such a way as to protect the confidentiality of the authentication data;
  4. Not capable of being surreptitiously stolen via the internet.

SecuRe Pay in addition lays out the following requirements for every issuing bank to conform to based on the use of two or more of the following elements:

  1. Something only the user knows, e.g. static password, code, personal identification number;
  2. Something only the user possesses, e.g. token, smart card, mobile phone;
  3. Something the user is, e.g. biometric characteristic, such as a fingerprint or face recognition.

In addition for SecuRe Pay, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other.

“At least one of the elements should be non-reusable and non-replicable and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”

The purpose of the SecuRe Pay guidelines is to define common minimum requirements for the internet payment services listed below, irrespective of the access device used:

  1. The execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’
  2. The execution of credit transfers (CTs) on the internet
  3. The issuance and amendment of direct debit electronic mandates
  4. Transfers of electronic money between two e-money accounts via the internet.

Objective of the MIDAS alliance

The aim of MIDAS is to establish a standard upon which different organisations can build a secure payment process that meets the US and European requirements as well as helping US organisations overcome issues they will face when introducing EMV.

By working together information security providers can discuss ideas about how they want to develop best in class practices and processes.

Questions that need to be discussed within the Alliance are:

  • How to build a universal system that every organization can simply drop into their existing processes
  • Integration into existing fraud tools
  • Enabling secondary channels to be seamless
  • Develop appropriate choices of biometrics (standards considerations building on PAS 92), including:
    • Discussion of issues concerning the customer experience and acceptance of different means;
    • Optimising security through the combination of , verification on the device with verification on the server?