European Banking Authority: stronger consumer authentication for online payments needed as of 1 August 2015

The European Banking Authority (EBA) issued guidelines for security in online payments across the European Union late last year. One of those security requirements includes the use of ‘strong authentication’ to verify the consumer before proceeding with an online payment, which the EBA defines as multifactor authentication. As of 1 August 2015, payment service providers are obliged to urge merchants to implement stronger consumer authentication in their IT infrastructure. Current authentication methods, such as 3DSecure, will thereby not be enough, says Ecommerce Europe.

According to the EBA Guidelines, strong customer authentication is a procedure based on the use of two or more of the following elements:
1. Something only the user knows (knowledge, such as a static password or PIN),
2. Something only the user possesses (possession, such as a token, smart card, or mobile phone) and
3. Something the user is (inherence, such as a fingerprint).

In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being secretly stolen via the internet.

Enforcement of EBA guidelines
As mentioned above, the EBA Guidelines will come into effect in August 2015. In accordance with Article 16 of the EBA Regulation, competent authorities and financial institutions must make every effort to comply with the guidelines. However, it is possible for competent authorities (e.g. financial regulators, national banks) to decide not to comply with the guidelines – for example, the UK opted out. You can find an overview of complying national authorities here.

Liability for PSPs and merchants
If payment service providers (PSPs), acquirers, or issuers do not perform strong authentication they are liable. Liability does not shift to the merchant when he chooses not to authenticate while the PSP is offering it. This is a change from today where the merchant is liable when no authentication is used. However, failing to do so might eventually lead to the merchant losing its contract with the PSP.

Payment Services Directive 2
European policy makers are currently in the last stages of developing the new European legislative framework for online payments (PSD2). Due to increasing fraud levels, the EBA declared it did not want to wait until the PSD2 enters into force across the EU – which will only happen from 2017 onwards. While the EBA now only provides guidelines to which national enforcement authorities can still opt out, the security rules in the PSD2 are based on the EBA security guidelines and will force authorities throughout the EU to monitor implementation by PSPs and merchants.

Risk in harming conversion for merchants
According to Ecommerce Europe, the new authentication rules could stifle innovation in the area of digital payments. Multifactor authentication has a huge impact on conversion for merchants, as many consumers will leave the check-out process when payment becomes too complicated. Ecommerce Europe believes that more advanced and equally secure methods of payment authentication, based on modern technologies, are already available. These methods can guarantee a high level of security of digital payment transactions without causing friction to the consumer experience when shopping online. The new methods are expected to be more in line with check-out experiences fit for the shopping experience of the future, such as mobile commerce. Moreover, leaving room for new solutions is more suitable for a risk based approach by merchants.