Preparing for strong customer authentication under PSD2
The implementation deadline for the Second Payment Services Directive (PSD2) is just months away.
it is critical that payment services providers (PSPs) address the regulation’s technical security requirements now. Get it right, and a regulatory compliance challenge becomes an opportunity to deliver an efficient, secure and seamless customer experience.
With e-commerce now accounting for 50% of all card fraud losses in the UK alone, and with reports of data breaches almost a daily occurrence, it is no surprise that regulators are focusing on remote payments and account access in PSD2.
Strong customer authentication (SCA) aims to secure high risk transactions and interactions by ensuring that the individual claiming to be a customer matches the individual who opened the account.
SCA requires customers to authenticate themselves in at least two of three different ways:
– Inherence (something you are, e.g. biometric data)
– Possession (something you have, e.g. a credit card or registered device)
– Knowledge (something you know, e.g. a password, PIN or secret question)
The risk with multi-factor authentication is it can create a lengthy authentication process. Customers in many countries have now become accustom to seamless, straight through transaction processing, so in order to remain competitive and retain customer experience, the critical part will be to carefully decide when to use SCA.
PSPs will be allowed to secure transactions using transaction risk assessment (TRA) if they keep fraud levels below the level specified by the regulatory technical standards (RTS). These levels are measured in basis points and are calculated by dividing the gross fraud losses with the overall turnover. For remote card-based payments of under €100 the limit is a 0.13 percent fraud rate, and for payments of over €500 it’s 0.01 percent.
TRA works by invisibly monitoring the behaviour of both parties during a transaction or account information request in real time. Fraud is detected as a result of suspicious behaviours as opposed to direct input from customers, and the data provided makes for better fraud prevention in the long term. TRA can also be implemented and run with potentially fewer third-party costs than SCA.
Though SCA cannot be avoided completely under new regulations, its cost and friction can be substantially mitigated by TRA, helping PSPs to meet the challenges posed by RTS. While TRA will require some strides forward for PSPs’ IT infrastructures, it will allow providers to remain competitive in a post-PSD2 financial market.
The bottom line is that every instance of fraud causes more friction than any authentication process for both customers and PSPs. Customers must report, compile, prove and follow up, while providers have to expend time and personnel on investigating and reimbursing. If fraud can be stopped at the point of transaction, then in the long term the financial market could be safer and more streamlined.
With the help of TRA, compliance doesn’t need to damage the customer experience or significantly increase cost for PSPs – PSD2 can be an opportunity to change the financial market for the better.