There has been a lot of controversy about the impending regulation on strong customer authentication under the second Payments Services Directive (PSD2). For a layperson, the questions “what is it?” and “how will it affect me?” will spring to mind. Undoubtedly, the advancement of technology over recent years has changed the way we make payments, providing consumers with speed and ease when carrying out transactions. Some practical examples were seen with the introduction of contactless payments and Apple Pay.
The first Payment Services Directive was implemented in 2007, of course payments technology evolved and legislation had not caught up with those developments until the European Commission proposed its revision in 2013. The European Banking Authority (EBA) develops regulatory standards such as the PSD, which is then adopted by the European Commission (EC) as binding regulations and decisions that Member States must adhere to and comply with.
Attending a Fintech conference last month, there was a lot of excitement as well as speculations about how the implementation of the PSD2 could enhance the level playing field for Fintech’s and change our payments landscape for both the banks and Fintech’s. However, there was not much discussion about how it could affect customers so we will shed some light on this. The PSD2 now requires payment services providers to apply strong customer authentication every time a user accesses a payment online, initiates an electronic transaction or carries out an action through a remote channel that may imply a high risk of fraud. So, then what is ‘strong customer authentication’ and how it will affect user experience?
What is meant by ‘Strong Customer Authentication’?
Article 4(30) of the PSD 2 defines it as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”
The ultimate purpose of this directive is to enhance consumer protection, promote the security of payment systems within the EU and to promote innovation. Article 97(1) sets out the actions required to enhance consumer protection and the promotion of security within the payment services industry. By that the directive requires strong customer authentication when the payer directly or through an account information service provider (AISP) 1) accesses its payments online; 2) initiates an electronic payment; and 3) carries out any action through a remote channel which may imply a risk of payment fraud and other abuses. Strong customer authentication will also be required where a user directly or through payment initiation service provider (PISP), initiates an electronic remote payment transaction.
How will it affect consumers?
Once the PSD2 is fully implemented by Member States, consumers may no longer enjoy ‘one-touch payments. They will be a thing of the past as consumers will be presented with two back-to-back requests for authentication.
For the aims of this directive to be fulfilled, an effective SCA system would prompt users for their credit card information at checkout and possibly, the second step could be generating a code from an assigned bearer token. Therefore, based on this example, if the user does not have the bearer token they may not be able to complete their transaction. The second stage of authentication could also be sent to a registered phone number. If at the time of a transaction the user does not have the registered phone to hand, delay to the payment process is certain. On the contrary, from a security standpoint, it is clear to see how this two-step authentication process is more secure and for financial services providers, how it would reduce the risk of fraud and bring down the amount lost to such. However, from a consumer standpoint, the process seems burdensome and long-winded.
The directive certainly puts security above merchant usability and consumer experience thus the added requirement for a two-step authentication process could over complicate and cause undue friction for consumers.