In 2020, 56% of bank fraud took place during online purchases.
With the rise of e-commerce, there has been a significant increase in cyber-malware, making the credit card data collected by online sites vulnerable.
How can a Self-Sovereign Identity approach secure the online shopping experience?
With the development of decentralised protocols, can we imagine a world where a purchase on an e-commerce site can be made without disclosing credit card information?
Anatomy of a purchase on an e-commerce site today
Today, before settlement between banks, the purchase path on an e-commerce site like Amazon follows the following path.
The information attached to the customer's credit card - the metadata - is transmitted to all parties involved in the payment cycle - from the e-commerce site to the Payment Service Provider (PSP) to the customer's bank.
When the customer requests payment, the customer's bank will check the customer's solvency and the risk of the transaction (in particular whether the merchant site has a good reputation). It is only after these usual checks have been carried out that the transaction is accepted or refused.
A certain amount of information is shared between the actors of the payment process, notably the identity of the account holder as well as the information linked to the card (the expiry date of the card, the CVV...)
These verification processes are essential to protect against bank fraud but also against potential errors. They aim to establish a relationship of trust between a merchant site, its customer and the bank.
This relationship of trust, which is based on complex processes, can be created by design through ISS. Let's see how.
Is it possible to pay without disclosing your credit card details?
What would it be like to pay on Amazon... without using your credit card information?
If a customer were to pay for a good on a merchant site, taking an SSI approach, this is what the new customer journey would look like after purchasing a product on Amazon:
- The customer submits a proof of payment request to their bank to validate the purchase. The bank then issues a Verifiable Credential which contains all the information for the payment (Amazon wants to verify the customer's identity and creditworthiness). Thanks to selective disclosure and the ZKP, Amazon does not need any other information
- The customer receives the proof of payment in his digital wallet. The wallet thus becomes a means of payment like any other.
- The customer demonstrates his or her ability to pay by presenting proof of payment to Amazon.
- Amazon will ensure that the proof is genuine and certified by the customer's bank by querying the customer's wallet, which is connected to the distributed ledger.
This SSI mode verification is much faster, more secure and confidential than the traditional payment model because the transaction was completed without disclosing more information than necessary and, most importantly, without providing credit card information.
This Self-Sovereign Identity approach based on the decentralisation of the evidence registry (which allows secure evidence verification processes by public and private actors) and on selective disclosure and ZKP for the respect of personal data privacy (compliant with the RGPD) allows the management and control of the end-user over all his actions in the digital world.
Self-Sovereign Identity: from web2 to web3
The Self-Sovereign Identity approach, made possible by DIDs and VCs but also thanks to ZKP and Selective Disclosure, begins the transition to the web3, the promise of a more transparent, verified, secure and privacy-friendly web. But above all, where we might have thought that this would be to the detriment of the user experience, on the contrary, the SSI approach greatly simplifies the transaction validation processes in the payment framework thanks to the triangle of trust and the interoperability of standards.