As a component of the Payments Service Directive 2 (PSD2) legislation, that was introduced in January 2018, the security measures that are outlined in the Regulatory Technical Standards come into effect from September 2019.
With PSD2 the European Commission aims to ensure consumers across Europe are protected. This is across the security of both online payments and accessing accounts. The payments industry is experienced in balancing regulatory change with innovation. PSD2 brings in a regulatory requirement to implement Strong Customer Authentication (SCA) and this presents an opportunity for organisations to be innovative through deploying SCA to enhance the customer journey and payment security.
The use of authentication in payments is understood by consumers as a necessity in keeping their money protected. As the digital world has evolved we have seen the adoption of technologies to improve security alongside customer experience – from chip and pin and digital identity services through to contactless mobile payments. Getting the balance right between security technologies and ease of use is crucial – a recent report by iovation, part of the TransUnion group of companies, found that an estimated 70% of consumers drop out of the online customer journey due to high friction. It is evident we have become expectant, as consumers, of a seamless experience that is also secure.
Pre-PSD2 merchants could opt out of SCA requirements for lower risk transactions by utilising 3D Secure software, which is reliant on the consumer’s password. With heightened consumer awareness around internet security and privacy stemming from regular media coverage of the topic, it is interesting to see that Security Boulevard recently challenged the effectiveness of passwords by advising that they are potentially not the most secure way of protecting our personal data. Statistics they use to underline their point include the fact that 59% of people in 2018 used the same passwords everywhere.
If sole use of single authentication protocols like passwords, pins and tokens represent a risk – as PSD2 outlines – then there is a clear need for payment providers to look for innovative solutions that authenticate consumers beyond a single factor. If smooth customer experience can be designed that also enables the payment provider to demonstrate that they take the security of consumers seriously, then this will not only meet regulatory standard but is also likely to increase customer confidence within that interaction.
Understanding PSD2’s authentication requirements
PSD2 requires payment providers to conduct SCA through multi factor authentication (MFA) by using two independent sources of validation, from two out of the following three indicators:
- Something you know
- Something you are
- Something you have
Not all transactions will require this additional authentication – notably where defined transaction-specific exemptions are applicable. These include low value exemption, recurring payment exemption, trusted beneficiary and low risk exemption. PSD2 provides these exemptions to SCA to minimise friction in the customer’s payment journey
To facilitate transactions which are not exempt there is a clear opportunity for payment providers to introduce innovative solutions into their customer journeys, increasing security for themselves and consumers but also enhancing the customer experience and brand reputation. This is made even more compelling when you consider the omni-channel provision of financial services in the modern world.
Understanding what ‘Something you know’ means
Regulations outside of PSD2 stipulate that you should know who your customer is. Knowing their contact details are valid, are linked to that consumer and are risk-free will potentially become more important under PSD2. Use cases such as verification of one-time pass codes (OTPs) to fulfil this SCA element have a reliance on the security of that digital channel, be that mobile or email.
TransUnion’s services have supported payments providers in cleansing their customer’s contact data in order to re-evaluate links and associations that may have only previously been inferred, whilst at the same time forensically profiling those digital artefacts to understand validity, connectivity and risk.
OTPs may present a cost-effective solution, however there are potential vulnerabilities which would need consideration in their deployment and execution. For example, sim swap fraud could lead to OTPs being intercepted and with breach enabled data assets such as Collection 1 available to fraudsters not all topologies are as secure as they might appear.
iovation’s device based authentication services could provide a viable alternative, with both mobile MFA and device-based solutions which can authenticate through a native application so consumers don’t have to leave a branded experience (as compared to some OTP based verifications).
Understanding what ‘Something you are’ means
Simply, this refers to inherent attributes – the most common of which are generally referred to as biometrics. From a consumer’s perspective we are becoming more and more familiar with making payments using technologies such as Apple or Android pay now. Biometric authentication methods are becoming ever present in our day to day lives, be it when we go through passport control or simply unlocking our devices.
Within our 2018 Fraud Report, biometric technology for fraud prevention and authentication was cited as a primary area of investment in coming years. This investment is likely to be accelerated by SCA requirements and market trends, most notably that mobile payments will increase 28% by 2022 surpassing use of credit cards and cash.
Technology, at times, can feel intrusive and there are naturally heightened concerns about using and storing such sensitive personal data. Decipher reports that a large underground market is emerging where fraudsters can purchase digital fingerprints that can be used to fool systems along with stolen user credentials. Therefore it is important that a combination of authentication methods are used, such as iovation’s LaunchKey solution which allows for more than one type of authentication alongside the use of biometric checks.
Understanding what ‘Something you have’ means
iovation provide leading fraud detection and consumer authentication solutions across the globe. Their technology naturally lends itself to a digital payment and the ability to uniquely identify new and returning devices. Those devices, in the digital world, are fast becoming the means to transact.
Through their re-recognition capabilities the ClearKey solution can be used as a hidden second factor of authentication alongside an OTP to meet SCA requirements. It may even be beneficial to deploy this type of service for lower risk transactions, even where exemptions do apply, as a frictionless fraud prevention check.
The LaunchKey solution by enabling MFA can provide all three elements of SCA in one platform. The SDK can be deployed through a provider’s own application, managing authentication processes (both physical and digital) including configurable options such as PIN codes, pattern codes and biometrics.
LaunchKey also uses a decentralized, anonymous architecture: user credentials are stored locally on the user’s device, eliminating a central credential store that is a common attack target for password-based, and even many multi-factor authentication solutions.
How you can turn a threat into opportunity
While payment providers have to focus on meeting these new regulations we believe that it presents an opportunity to drive better customer experience. The mandated changes are a platform to create a competitive edge and steal a march on the competition by mitigating the risk of fraud and enhancing the consumers experience at the same time.
We at TransUnion understand that the introduction of SCA is a challenge but we have the tools and expertise to help incumbents and new entrants answer and most importantly make the most of these changes.