New security requirements for online payments will come into effect in Europe in September as part of the revised Payment Services Directive (PSD2), but they are also expected to make an impact in the US and other regions of the world. The PSD2 brings two major changes to the payments industry: It mandates stronger security requirements for online transactions through multi-factor authentication (MFA) and it forces banks and other financial institutions to give third-party payment services providers access to consumer bank accounts if account holders give their consent.
What are the strong consumer authentication (SCA) requirements?
According to PSD2, financial institutions that hold payment accounts will need to challenge online payments, such as card transactions, initiated by European consumers with two-factor authentication (2FA). This stronger authentication combines something the user knows, such as a password or PIN, with something the user has, such as a code generated by a smartphone app, or with a biometric identifier like a fingerprint or facial recognition. This will result in unique authentication codes for every transaction that will link the customer and the transaction amount.
There are several exemptions from these requirements. For example, transactions under 30 euros can be exempted, as well as recurring transactions that have the same payee and amount, like those to subscription-type services. Consumers will also be able to whitelist merchants.
Higher-value transactions can be exempted if the acquiring bank or service ensures low fraud rates through other risk analysis methods -- transactions of up to 100 euros for fraud rates below 0.13%, 250 euros for fraud rates below 0.06% and 500 euros for fraud rates below 0.01%. However, according to a recent report by consulting firm Aite Group and fraud prevention company Iovation on the impact of PSD2, the average fraud rates of most acquirers is well above 0.13%, so it's unclear if such low fraud rates are even achievable.
While the SCA requirements technically apply only to transactions where both the card issuer and the the acquiring bank are based in the European Economic Area (EEA), in practice European issuers might apply the same rules regardless of the merchant's location, Aite and Iovation said in their join report.
The requirements were created to combat card-not-present (CNP) fraud that has been on the rise for the past decade following the introduction of chip-enabled cards -- the EMV standard -- that made cloning physical cards much harder. According to European Central Bank statistics, card-not-present fraud steadily increased every year until 2016, when it accounted to 73% of the total card fraud losses related to euro payments.
Over the past few years, IT security firms have also observed a rise in the number of cybecriminal groups that break into online stores and inject malicious scripts with the goal of stealing payment card details as users input them on checkout pages. These are known as web skimming attacks and are another indication of criminals' increased focus on CNP fraud.
How will PSD2 affect the US market?
According to Aite and Iovation, there's a risk that once the SCA requirements come into effect in Europe, CNP fraud could increase in other regions of the world that don't have similarly strong protections, including the US This has been the case in the past with card-present fraud after the adoption of chip-and-PIN card authentication in Europe. The good news is that the US payments industry will likely adopt strong authentication for online transactions much faster than they adopted EMV for physical cards.
While the European regulators were working on the new directive, the payments industry was working through EMVCo, a consortium of financial companies and payment card networks, on a new authentication standard called 3-D Secure version 2 (3DS2). Their goal is to have this standard implemented around the world, not just in Europe.
3DS2 satisfies PSD2's authentication requirements by having support for biometrics and one-time passwords. It also integrates with mobile device authentication solutions such as Apple Pay and solves many of the issues that online merchants had with its predecessor, 3-D Secure version 1.
The adoption of EMV in the US took many years and is still not complete because merchants had to buy new point-of-sale terminals to support chip-enabled cards and needed those terminals to support their existing customizations such as loyalty programs and alternative payment methods. It's different with 3DS2 because its implementation involves software changes, not hardware.
The bulk of the effort is not on merchants, but on banks, which will only need to deploy an application programming interface (API) to recognize the 3DS2 directory that's shared by all card networks, said Tim Sloane, vice-president of payments innovation at Mercator Advisory Group, a Massachusetts-based firm that advises companies from the payments and banking industries.
"My expectation is that large multinational companies like Amazon will adopt it in Europe this year and once they have that capability, they'll also want to have it deployed throughout the US," he says. "So unlike EMV, it would theoretically be possible for 3DS2 to be deployed within the US in three years."
According to Sloane, if online merchants start switching their payment infrastructure to 3DS2 to be compliant in Europe, it will create an impetus for US banks to support it, too. Otherwise they will face liability for fraudulent transactions. So, while 3DS2 adoption in the EU will be pushed by the new directive, adoption in the US will be driven by the liability shift.
The success of 3DS2 in the US is going to depend on how well it addresses the issues merchants had with its predecessor. 3DS version 1 required merchants to pass cardholders over to the bank to collect information, leading to lost customers who would abandon their carts during the checkout process.
"In the US most merchants stopped using 3DS because it was too unreliable," Sloane says. "Consumers had to individually sign up to use it and not many took the time and effort to do that so the installed base of consumers that could use it was extremely small."
With 3DS2, cardholders are automatically subscribed into the service by their bank so there's no sign-up process. Also, the new standard allows merchants to collect more information about a transaction and pass those data points through the normal payment channels to the card issuer, who can then decide if it wants to challenge that transaction. If the issuer challenges a transaction, it will do so independently of the merchant, through a code sent by SMS or through a banking app installed on the user's phone that, for example, supports fingerprint-based authentication.
"The challenge will come from the bank to the consumer, not from the merchant and the expectation is that this will be a much smoother implementation," Sloane says. "If there are problems, there could be delays in adoption, but my expectation is that card networks are going to put everything they have behind this to make it work."
Aite and Iovation also warn in their report that the new SCA requirements might double the existing number of stepped-up authentications in Europe, which could expose merchants to loss of sales if the process is not managed properly.
Third-party access to bank accounts
The European regulators also aimed to create a competitive market for payment services in Europe and to allow new companies to innovate in this segment. To achieve this, PSD2 requires banks and other financial institutions that manage payment accounts for customers to provide third-party services with access to those accounts if the account owners give their consent.
These third-party payment services providers will have the ability to check the availability of funds, to initiate payments on behalf of the account holders or to access account data, such as transaction information. Granting access can be achieved in several ways, including by redirecting customers to authenticate on the bank's portal, but according to Aite and Iovation, the most common implementations will be though APIs provided by the banks. The problem is there's no widely adopted standard yet for such APIs, even though several are being developed and proposed by different industry groups.
"Banks may choose to work with these standards or develop their own RTS-compliant APIs," Aite said in its report. "The very existence of multiple standards already means that TPPs [third-party providers] will have to work with different APIs across Europe. Further complexity is added with the realization that bank implementations of the same standard will differ as well, and the U.K. shows evidence of this."
Historically, fragmentation and complexity has led to implementation errors in other technology segments and there is always a risk that such errors can lead to security vulnerabilities and security breaches. While this kind of access can spur innovation and lead to the creation of new services and applications, consumers should always be wary of sharing access to their data and, in this case, personal funds, with many third parties.
European Banking Authority clarifies authentication requirements
In June 2019, the European Banking Authority (EBA) issued an opinion about what authentication factors would meet the Directive’s SCA requirements, which consist of multi-factor authentication using a combination of knowledge, possession and inherence factors.
For example, acceptable inherence factors are fingerprint, retina and iris scanning, voice and vein recognition, hand and face geometry, keystroke dynamics, heart rate and body movement pattern or the angle at which the device is held. Information transmitted using a communication protocol, such as EMV’s 3-D Secure or a memorized swiping pattern do not qualify as inherence factors.
Acceptable possession factors can be devices, cards, apps or browsers verified using one-time passwords, QR code scans, device binding or digital signature based on hardware and software tokens. The simple presence of an app on a device or the details and other elements printed on a card do not qualify as sufficient to prove possession.
Knowledge factors can be passwords, PINs, passphrases or memorized swiping paths -- that should exist and be known by the users before the transaction is initiated -- but not email addresses or usernames, details printed on cards, OTP tokens received or generated on devices or from printed lists.
“The EBA has also clarified that 3-D Secure does not qualify as an inherence factor, and does not meet SCA requirements,” fraud prevention company iovation, said in a blog post. “For those that might already be working on 3-D Secure, not to despair. The EBA did encourage the use of the communication protocol to: help ensure customer convenience, help drive down fraud through data sharing, and help in meeting transaction risk analysis requirements and gaining exemptions to SCA.”
Payment service providers can get more time
While the deadline for being compliant with the SCA requirements is September 14, 2019, the EBA said that the national authorities in charge of enforcing the new regulation may “decide to work with PSPs [payment service providers] and relevant stakeholders, including merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA.”
However, this leeway will be given only on “exceptional basis” and only for PSPs that have set up a migration plan and have agreed to it with the national authority and are capable of executing that plan in an expedited manner.
In August, the U.K.’s the Financial Conduct Authority (FCA) announced agreed to a phased implementation of SCA based on an 18-month plan. The authority said it won’t take regulatory action against organizations that “can show evidence that they have taken the necessary steps to comply the plan.”
The EBA acknowledged that due to the complexity of the payments market across the EU, many electronic merchants who are not directly subject to PSD2 might be badly affected by the Sept. 14 SCA deadline because other actors in the payments chain that they depend on, are not ready.