DID YOU KNOW
Digital Signatures are the digital equivalent of handwritten signatures, they provide merchants with the ability to authenticate a consumer and enhance evidence during repudiation disputes.
In general, digital signature services have been around for a long time with no significant widespread acceptance. These services have the ability to bridge the gap between the card-present and card-non-present world but there is a low probability of that happening.
The pros and cons of digital signatures include:
A signature marks a legal transaction has taken place and can be used as evidence in chargeback disputes.
Digital signatures can be used to authenticate the source of messages.
Hardware such as a mouse, electronic pen, tablet PC or touchpad will be required (depending on the service).
A digital signature does not imply that the person who is signing is in fact that person.
Increased security against fraudsters trying to steal information in transit because when encrypted messages are changed the signature becomes invalid.
Digital signatures cannot provide certainty about the time and date for the document that was signed. In this instance, backdating may become a problem. To avoid this use trusted-time stamping in addition to digital signatures.
Non-repudiation may become complicated if the consumer's private key was compromised. A non-repudiation service requires the establishment of a public key infrastructure (PKI) which can be complex and costly to establish and operate.
The possibility of a hacker capturing universal signature access also represents a huge potential problem for the merchant.
THE FRAUD PRACTICE
KEY NOTES
Alternative Solutions - There is no clear alternative to digital signatures but Consumer verification can provide the merchant with the ability to authenticate the consumer.
Building this In-House - Very expensive and time intensive to build the required Public Key Infrastructure that is needed to securely retrieve the consumer's public key. Merchants are better off integrating a third-party's digital signature method to deliver this payment method to the consumer.
Estimated Cost - Costs will vary based on the vendor you select. The additional cost of a public key infrastructure can be costly and time consuming. There exist several commercial PKI operators but many have suffered publicly due to data breaches. The effort required to establish and monitor a closed PKI system is usually too costly and time consuming for merchants to do on their own.
Sample Vendors - DocuSign
DIGITAL SIGNATURES TECHNIQUE OVERVIEW
Digital signature services provide the merchant with the ability to capture real-time signatures over the Internet for a variety of applications and verticals (i.e. financial, mortgage, travel, etc.). Digital signatures are the digital equivalent of traditional handwritten signatures. Digital signature schemes use cryptography and if implemented correctly the digital signature is more difficult to forge than a traditional handwritten signature. Typically, a consumer can sign their name with their mouse or some type of hardware (i.e. electronic pen, tablet PC, touchpad) through a pop-up window during checkout. The merchant then has a conventional signature they can show, if needed, for chargeback representment.
In terms of recovering money from CNP fraud chargebacks, digital signatures may provide the merchant with important evidence during disputes that the consumer was authenticated with an intent to purchase. It should be noted that trusted time stamping can make the merchant's case more compelling against friendly fraudsters attempting to backdate.
Encrypted digital signatures have become more widely used in e-commerce and regulatory filings but their widespread adoption and success still remains to be seen. Consumers have found that their online signature using a mouse are usually nothing like their actual handwritten signature. While digital signatures may provide added security to the consumer the value of digital signatures to merchants in fighting chargebacks is still not clear.
Key considerations when implementing or buying this functionality include:
Can the digital signature be utilized effectively with trusted-time stamping?
Does the region or country have specific laws relating to digital signatures and the implications associated with chargebacks? Will the evidence hold up in court?
Is the public-key algorithm insecure? Some are known to be insecure...
Does the digital signature disrupt business processes with additional work?
Does it comply with the merchant's auditing process requirements?
How will the private key remain private?
Does the consumer possess the necessary hardware for digital signatures? If not, what are the costs to provide them with the needed hardware?
Is the public key owner verifiable? How much time and money does it cost to operate and establish the public key infrastructure?
Just because you have a digital signature does not mean you are going to win your chargeback representment case. The rules for documentation and proof of cardholder authorization are different for card present and card not present transactions. Presenting a digital signature as evidence, is not something covered by the association, and the interpretation of its value will come down to the issuing bank in question.
HOW DOES IT WORK?
Merchants use digital signatures to capture a signature from a consumer through some device on the computer (such as an electronic pen, mouse, tablet PC or touch pad). Essentially, the consumer will be prompted during the checkout phase with a box on the screen with a small x next to the a line for their signature (i.e. x___________________ ). Once the signatory has signed, the signature is captured as an image and encrypted for the consumer's protection. The encrypted message is sent to the merchant and the consumer is verified and authenticated. The digital signature can then be used for proof that a legal transaction has occurred. However, digital signatures are complex and require many processes and techniques to come together to become cost-effective for the merchant. Data encryption, hashing, cryptography, digital certificates, private keys, public key infrastructure and verification must all come together to provide the merchant with the genuine consumer authentication desired...
HOW DO YOU USE THE RESULTS?
If the consumer is verified and authenticated through the digital signature then accept the transaction. However, it will be impossible for merchants to know if the transaction is fraudulent when the fraudster has access to the private key. In this instance, digital forgery can become a major concern.