Following the European Banking Authority’s consultation paper on strong customer authentication, the future for operators in Europe looks uncertain. Since the introduction of 3-D Secure for card-based e-commerce payments in 1999, the industry has been moving towards a risk-based authentication approach.
Background and step-up authentication, as and when required, has helped the industry strike a commercially sensible balance between mitigating risk and delivering a low-friction customer experience. This may be about to change.
On 12 August 2016, the European Banking Authority (EBA) published its long-awaited consultation paper on strong customer authentication and secure communications under the revised Payment Services Directive (PSD2). The deadline for submission of comments was 12 October 2016.
Strong customer authentication in this context is defined as two or more of the following: knowledge, possession or inherence. The elements must be independent to ensure that compromise of one does not compromise the other(s). The authentication process must be designed to protect the confidentiality of the authentication data, and to dynamically link it to the amount and payee for remote electronic payments.
“The authentication procedure will remain fully in the sphere of competence of the ASPSP (account servicing payment service provider),” says the EBA. For card payments, issuers are responsible for payment security, and with very few exceptions are required to perform strong customer authentication on every transaction.
Acquirers and merchants are not able to authenticate consumer payment transactions, acting alone or together. This may mean that models currently used by Amazon and PayPal for card payments cannot be used for PSD2 payments, unless separate contractual agreements are in place with each ASPSP used by European consumers.
Broadly, the exemptions from strong customer authentication are contactless card payments under €50, card-not-present transactions under €10, and payments to a payee that has been specifically white-listed (by the payer). On the current reading of the draft text, clarification is required as to whether the exemptions are optional or indeed mandated.
The value thresholds require clarification as low-value transactions do not automatically equate to low-risk transactions. Moreover, the price of goods and average transaction values differ across member states. The scope of the regulation and currency are also unclear. Does it encompass fiat money only or purchases made in whole or in part with air miles, loyalty points and so on? The position around the international dimension requires further clarification, especially for so-called ‘one-leg’ scenarios, where the card issuer or acquirer is based outside the EEA and does not participate in strong customer authentication.
A QUESTION OF BALANCE
There will always be uncertainties in life as well as in business — that much is certain. It is how individual stakeholders and industries collectively manage these uncertainties or risks, which determines the success of the outcome, and the degree to which they protect their funds and assets.
Good risk management involves balance. It balances the risks and security needs of all parties and the convenience for end users. If security is too cumbersome, making the process onerous, it may deter people from using online services. If security is too light and does not adequately protect the parties, it may again deter people as they will not have confidence in the system.
Another basic truism of risk management is that no single product or solution will provide total security. A layered approach is most effective in balancing risk exposure and convenience. It seems strange, therefore, that the EBA seems to be mandating strong customer authentication via issuers as the sole risk prevention method.
TOMORROW IS ALREADY HERE
There is no such thing as 100 percent security, because criminals are unrelenting. What is secure today may be compromised tomorrow. Fraud patterns change as do authentication patterns. Few organisations adopt a blanket 3-D Secure approach, preferring one that is based on risk. 3-D Secure version 2.0 announced by EMVCo in October 2016 is designed to facilitate more risk-based authentication, not less.
Some ‘friction’ in payments is necessary — even desirable in some cases. However, tomorrow is already here with frictionless payment via wearables, stickers, key fobs and tags. Will these be subject to strong customer authentication? What about in instances when the payer not a person, for example in the Internet of Things?
Overall, the balance as outlined in the draft RTS is not quite right. It may even be counter-productive if it stifles the European digital single market and drives an uptake in less efficient payment means. Fraud is seldom eliminated entirely, merely displaced as fraudsters migrate to targeting the weakest link. The proposal may have the effect of displacing online fraud. The outlook and impact remains uncertain. The EBA did not respond to a request for input.
„Though Libra has met with fierce resistance from central banks and supervisory authorities and might never see the light of day, in many other cases tech firms (both start-ups and established big players) have successfully captured bits and pieces of universal banks’ traditional value chain. This trend may only intensify in the coming years. In this environment, European banks remain squeezed.”