Are you ready for Strong Customer Authentication under PSD2?
August 2019
There has been a significant increase in the number of e-commerce transactions taking place across Europe over the last five years as technology has improved allowing for mobile phone payments amongst other electronic payment methods. Accompanying this rise has been a parallel increase in the risk of consumer fraud. The European Union (EU) has sought to address this increased risk through the implementation of the Second Payment Services Directive (PSD2), effective from 13th January 2018.
PSD2 requires an improvement in payment security to address the increasing risk of fraud, and the inclusion of the provision for Strong Customer Authentication (SCA), required from 14th September 2019, seeks to add extra layers for ensuring transactions made are authorised by the account holder(s). An important feature of SCA is two-factor authentication whereby the authentication for a transaction is conditional upon two or more elements categorised as:
- Knowledge – something only the user knows (e.g. a PIN);
- Possession – something only the user possesses (e.g. a Card or a Mobile Phone);
- Inherence – something that the user is (e.g. a Fingerprint).
Many banking providers already implement a system called 3-D secure (3DS) to give extra protection to standard password protection. This system will usually provide a message or ask a series of questions before a transaction is authorised, for example “Have you lived at any of the following addresses?” and so on. While 3DS provides some additional security, it is limited in that it usually appears as a pop-up, visually looking similar to a phishing site while the user must remember a password that may be difficult to remember if different passwords are to be used for different cards.
PSD2 builds upon existing legislation to make use of advancements in technology. Instead of extra authentication being required by exception (for example where a transaction has been identified as potentially high risk), it will now be included as standard practice. PSD2 specifies requirements for additional challenge for transactions in specific categories, for example those valued larger than €30 or for every fifth unchallenged transaction undertaken in a set period of time. Additionally, if the combined value of several unchallenged transactions exceeds €100 then additional challenge will be also required. Merchants have the discretion to implement good practice processes too and for example challenge for transactions below €30 but this is not a legal requirement. Further measures such as the above are intended to reduce the risk of fraud by enhancing the security elements in place to prevent transactions being processed without proper authorisation from account holder(s).
From the 14th September 2019, where a physical card is present and the chip in it can be verified, then this combined with a PIN will continue to be sufficient for transactions above €30. However, for ecommerce payments or payments where the card is not present, then additional authentications must be required, and it is at the discretion of the issuer rather than the merchant as to what they will be.
Many merchants are concerned that these changes will restrict frictionless payments and weaken the customer journey, however many consumers understand the need for enhanced security in a world of rapid technological change. In advance of the forthcoming deadline, VISA and MasterCard will be implementing a new version of 3DS (version 2.0) that will be mandated to be in place for issuers and merchants by April 2019 in preparation for a mass adoption by September 2019.
In June 2019, the Financial Times reported concern from retailers and payment processors including Amazon, Stripe and Worldpay at the lack of preparation for implementation of SCA changes. They cite concern that many consumers remain unaware of the forthcoming changes and have challenged that there could be a significant impact made on online sales if customers are unable to complete transactions. Failure of consumers to install mobile apps or to provide mobile telephone numbers to facilitate authentication will restrict the conversion of sales and is likely to increase consumer frustration.
We have seen increasing use of two-factor authentication in the banking sector, and indeed make use of this ourselves here at Cascade with our online portal. To log on, users must insert their unique username and password (which must be changed regularly and meet a minimum standard for composition such as including a minimum of 8 characters, an alphanumeric character and so on) before then inserting a six-digit code sent to a mobile held by the user. This verifies the individual and allows access to our online portal.
Many banking providers are following suit and when opening a savings account, Tandem Bank, Marcus by Goldman Sachs and Atom Bank to name but a few, will require for a code to be inserted to help verify the applicant. This is changing the nature of savings accounts and indeed has implications for those deemed vulnerable.
Should you have any concerns or queries about the forthcoming changes, do let us know and we’ll be happy to assist in providing further information for you. We are reassured by positive steps taken to protect the integrity of your online transactions and would recommend patience as such technology is implemented to ensure you remain protected while transacting online.
