Strong Customer Authentication
Are You Ready for Strong Customer Authentication (SCA)
Let's start with the basics. The Second Payment Services Directive (PSD2) was officially published by the European Commission in December 2015 and follows on from the First Payment Services Directive (PSD1), which was implemented in 2009. PSD2 has been live since January 2018 and has implications for all companies in Europe that deal with payments, ranging from how to regulate the emergence of Third Party Providers (TPPs) to the need for strong customer authentication (SCA).
Rapid changes in the payments sector have heralded the upgrade of PSD1. Technological advances in areas such as cloud and mobile applications have opened up the banking sector to a swathe of new competitors. These TPPs are offering new ways for customers to access their bank accounts to make payments. Over three quarters of Europeans now use mobile devices to keep track of finances and to make payments,1 compared with just 18% in 2015.2
Another major change has been the continuing rise in online shopping. According to a recent survey, one in four Europeans with internet access shopped online at least once a week in 2016. Unfortunately, the rise in eCommerce has resulted in a concomitant rise in cybercrime; both in data breaches and online credit card fraud. In 2016, nearly £309 million was lost to credit card fraud in eCommerce transactions in the United Kingdom. This compares to just £13.6m in 19984.
It’s against this background that the European Union (EU) has implemented PSD2. There are generally two elements to European law; the need to encourage competition among financial providers, as well as the need to enhance consumer protection.
PSD2 at a glance
- Update of First Payment Services Directive (PSD1) driven by continual rise of eCommerce and technological innovation in payments sector.
- Second Payment Services Directive was implemented on 13th January 2018. The earliest date that member states are expected to have implemented Regulatory Technical Standards (RTS) is August 2019.
- PSD2 includes 112 articles and 11 mandates (specific topics that the regulators asked the European Banking Association to examine).
- One of these mandates is around strong customer authentication (SCA) and includes guidance around exemptions and challenges.
- Another key area is the regulation of Third Party Providers (TPPs) which could help stimulate a new generation of financial companies.
The emergence of TPPs
Presently the main way for customers to access their bank accounts is through the products and channels provided by their banks. Under PSD2 two new regulated entities will emerge:
- Payment Initiation Service Providers (PISP) – This allows third party companies to initiate payment on behalf of a consumer without them having to visit their online bank’s portal. PISPs offer consumers flexibility when it comes to payment.
- Account Information Service Providers (AISP) – This will allow third party companies to access a consumer’s bank, as well as display information relating to their account. For example, this could allow a consumer to aggregate information from multiple accounts in a single application giving them an overview of their financial situation.
In order to facilitate these new providers, banks will have to provide their APIs (Application Programming Interfaces) to those that request it. This is quite a radical change that will provide a boost to the new generation of Fintech companies, fitting in with the EU’s desire to promote increased competition and innovation. The support for TPPs is expected to give consumers greater control and convenience as they will be able to centralise their account information and payment options on a single device.
This is anticipated to benefit the eCommerce market because it will give customers more flexible banking and payment options. There are also opportunities for merchants; for example, they could potentially utilise an AISP to get more information on a potential consumer, such as their account balance and payment flows and use it to make risk assessments. Or they could use the information to identify and target their most high-value customers. Of course, merchants will have to radically rethink the way they obtain their customer’s consent to store personal data and ensure their processes and procedures comply with the General Data Protection Regulation.
PSD2: Key implications for merchants
Creation of PISPs
Services that can initiate credit transfers on behalf of account owners (digital or card based).
Creation of AISPs
Services that can collect and consolidate data across one or more deposit accounts.
Merchants will not be able to surcharge payment methods with regulated interchange (e.g., 4-party consumer schemes, Single Euro Payments Area (SEPA) SEPA credit transfers).
Two-factor authentication will be required for all electronic payments, although there are exemptions to allow “frictionless flow”.
eCommerce merchants will need to integrate dynamic authentication tools (e.g., 3D Secure 2.0).
SCA and the drive for increased payment protection
One of the major implications of PSD2 is the focus on improving security in the payments space by emphasising strong customer authentication. An important element of SCA is two-factor authentication. Most consumers are aware of this even if they don’t know it by that name. It’s for those situations where inputting the username and password by themselves aren’t considered secure enough, so additional steps are required. Obvious examples of such an approach are additional questions that only a consumer would know, such as “what’s my mother’s maiden name?” New approaches to two-factor authentication are emerging e.g., biometric recognition or fingerprint activation.
What is two-factor authentication?
This is authentication based on the use of two or more elements categorised as knowledge (i.e., something only the user knows), possession (i.e., something only the user possesses), and inherence (i.e., something the user is).
Within the cards space there is already a scheme in place to ensure SCA called 3-D Secure (3DS). This is a service offered by credit card providers that gives additional protection to card users by introducing another layer of password protection. The result of which is the message that customers sometimes see when completing a transaction, depending on the network upon which the card is operating.
However, there are drawbacks with 3DS in its current version. It deploys a pop-up screen which uses a different URL – thus looking rather similar to a phishing site. There’s the requirement to remember the password that has been used, something that may be problematic for a customer with several such cards. The first version of 3DS was primarily designed for PC transactions and is a clunky way of making a purchase for mobile phone users – and with smartphones increasingly deployed in eCommerce, this is a stumbling block.
To address some of these challenges a new version of 3DS has just been released. One major change of 3DS 2.0 is that it will offer the ability to authenticate a transaction using a biometric method, something that many mobile phones offer these days. By using finger prints or facial recognition the amount of fraud is potentially going to be greatly reduced while also increasing convenience for consumers. There are other upgrades too: the troublesome payment window will be discarded with and 3DS 2.0 will also allow mobile and digital wallet payment methods. This is a major change as previously only cards could be used (unsurprising, considering the origins of the technology).
Another major implication of 3DS 2.0 is that when a customer makes a purchase, the merchant will have the option of agreeing to ‘frictionless flow’ – where the payment is authorised without additional security measures. Alternatively, they can request that the payment is challenged resulting in the issuer making a risk-based authentication of the consumer and potentially asking for further security, such as two-factor authentication. Having frictionless payment is beneficial for customers and therefore merchants, as their payments can be made quickly and seamlessly. However, it can also increase the potential of fraud. One of the main implications of PSD2 is that it provides clear guidelines about how this process can be managed.
PSD2 and frictionless flow
Under PSD2 there are clear rules regarding the challenging of payments. Transactions that are under €30 will not need to be challenged, it is entirely up to the discretion of the merchant. For transactions above €30, a new procedure kicks in, one that depends on the reference fraud rates of the acquiring bank and the issuer – not the merchant.
Under PSD2, if the fraud rate is below 13 basis points (bps) there’s no requirement for a challenge for transactions of up to €100. But if the fraud rate is below 6bps that ceiling rises to €250. For those with a rate of under 1bps a transaction can be as high as €500 before there’s a need for a challenge.
There are a couple of caveats to this approach.
- Not all low-value transactions will go unchallenged: every fifth transaction (below €30) will need to be challenged. This will also apply if the combined value of several unchallenged transactions goes above €100. This could present some difficulty for merchants who will have to deal with customers’ expectations of a frictionless process.
- There’s also the issue of recurring transactions. If there’s a regular payment and it’s of the same amount every time, there needs only to be one challenge. However, if the amount changes for example, a mobile bill fluctuates and the amount is over €30, it would need to be challenged.
Although SCA methods can reduce fraud, they likely will also impact the speed and convenience of online shopping. However, PSD2 will not necessarily have a negative impact on eCommerce. The new regulations are predicted to drive acquirers and other entities in the payment processing ecosystem to improve their own fraud rate as that would mean they could offer frictionless flow at higher thresholds. Conversely merchants may start seeking out financial providers with a good record of fraud prevention, as this would allow them to offer more convenient payment options to their consumers with fewer challenge presentments.
With PSD2 the onus is on the many parties in the payments ecosystem to improve security and reduce their fraud rates. With the right solutions merchants can be compliant with the new regulations and help reduce fraud while still offering a frictionless, user-friendly experience for the majority of their customers. eCommerce is booming in Europe, but the number one reason preventing even further uptake is concern over fraud. By forcing improvements to payment processing, PSD2 could end up increasing conversion rates.
The implementation of PSD2 is going to shake up the payment sectors. There are a number of potential advantages for merchants: purchasing processes will become easier, they will be offered more choice of financial providers (and consequently methods of payment) and there will be reduced risk of fraud.
But there will still be work to be done; merchants may need to change their systems to handle 3DS 2.0 or other SCA methods, as well as working on how to meet customers’ expectations. And because there will generally be more challenges, SCA needs to be handled in a way that minimises disruption to the purchasing process. In this sense, the regulations could spark a wave of innovation that may ultimately improve the online shopping experience.
Merchants will also have to pay closer attention to their partner acquirers and issuers. Some important differentiating factors will be the fraud rate, as well as the help provided in negotiating the PSD2 upheaval.
PSD2 opportunities for merchants
- Reduced fraud rates in the industry and increased trust with consumers.
- Innovation around two-factor authentication to make the process smoother.
- A boost in eCommerce as consumers have more online banking and payment options.
- Merchants can leverage new payment aggregators to increase their strategic information on consumers.
This article was originally published by Global Banking and Finance Review
Chase Paymentech Europe Limited, trading as J.P. Morgan, is regulated by the Central Bank of Ireland.
The information herein does not take into account individual client circumstances, objectives or needs and is not intended as a recommendation of a particular product or strategy to particular clients and any recipient of this document shall make its own independent decision. This document and the information provided herein may not be copied, published, or used, in whole or in part, for any purpose other than expressly authorised by Chase Paymentech Europe Limited.
© 2017, JPMorgan Chase & Co. All rights reserved.