Securing the customer – authentication on the fly
PSD2’s requirement for multi‐factor authentication is proving to be a crucial moment in the evolution of payments – and as online fraud continues to advance, innovations like biometrics are essential to securing customers while enhancing the purchasing experience.
The 2019 introduction of the Payment Services Directive II (PSD2), the EU’s flagship effort to set requirements for all firms that provide payments services, was a landmark moment for online and contactless payments as they become increasingly ubiquitous. At its heart is a desire to reduce online and point of sale payment fraud by requiring stronger authentication processes when a payment is activated or when remote account access is requested. The EU presented multi‐factor authentication as the foundation of its new measures.
Regulators’ lack of confidence in payment systems is easy to understand, as online fraud has reached an all‐time high and shows no sign of slowing down. Europe suffers from a staggering €1.3 billion in e‐commerce fraud every year, according to the European Central Bank, driving a tidal wave of criminal activity that not only affects the victims themselves, but everyone else too in the form of increased fees. Fraud is one of the most important problems facing financial institutions, and with cybercriminals becoming increasingly sophisticated it’s vital that innovation in the security space keeps pace.
Amidst these issues, PSD2 is proving itself to be one of the most significant legislations to hit the EU banking scene, with plans to make payments safer through an additional layer of security on higher value payments. The new measures, however, have been met with significant market resistance due to the complicated nature of transforming existing authentication processes.
Strong Customer Authentication (SCA), a central requirement of PSD2, was designed to implement a minimum of two‐factor authentication on payments (over 30 euros for point of sale transactions) and has the potential to change the security landscape forever. It has moved authentication methods towards a multi‐factor approach, necessitating two of the following to complete a transaction: something the consumer “knows” (e.g. a password), “has” (e.g. a bank card) or “is” (e.g. biometrics).
Substantial lobbying and a lack of preparedness forced regulators to implement a lengthy delay in PSD2’s originally scheduled enforcement on 14 September. Retail and payment service providers expressed worries that the extra steps needed to authenticate larger purchases would act as a deterrent to sales, though others argued they will enable consumers to feel safer and more confident when purchasing online.
Biometrics is a key technology for transforming the banking sector whilst ensuring PSD2 compliance, proving far more secure than passwords, tokens or pins, which are can be easily compromised. However, Financial Services Institutions (FSIs) looking to construct and maintain a multi‐factor authentication environment need to look beyond just baseline biometrics. Whilst biometrics ensure a good customer experience, much more is needed in addition to ensure sufficiently high levels of security can be maintained — examples include challenge/response protocols coupled with private/public key encryption. Furthermore, to avoid centralized, scalable attacks, thought needs to be given to the use of local (not centralized) storage of critical data, such as encryption keys.
Strong Customer Authentication doesn’t have to be restricted to mobile applications and use cases only. In a first‐of‐its‐kind six‐month pilot project in France, banking group Crédit Agricole has been testing contactless payment cards with integrated fingerprint readers on 200 customers, ahead of a market launch of the tested technology in 2020. The results are already demonstrating the power of biometrics in improving the customer experience whilst providing a robust level of security too.
The biometric cards, which are produced and personalised by security technology group G+D Mobile Security, enable Crédit Agricole customers to make quick, easy and secure contactless payments simply by placing a finger on the impression reader. By doing so, they are no longer subject to the usual limit of 30 Euros for contactless cards.
“The future belongs to payment solutions that are both convenient and secure,” says Gabrielle Bugat, head of financial services solutions at G+D Mobile Security, which manages and secures billions of digital identities over their entire lifecycle. “Crédit Agricole is ringing in this future now with our biometric card solution that ensures at all times the protection of the user through security by design.”
The “something the consumer knows” element of SCA has also caused issues, not least because it is open to interpretation. Knowledge is largely understood as something that only you know, but this can be tricky depending on a bank’s legal stance. In the digital age of oversharing, is knowledge really still a sensitive form of authentication?
“We have seen a bank recently go down a very stringent route whereby typical security questions, such as mother’s maiden name, can no longer be used,” says Sarah Whipp, chief marketing officer at Callsign, an adaptive authentication platform. “Instead, they have chosen to ask for information on the last payment you made or your bank balance last Thursday, which can be quite cumbersome for the customer. Banks are already discussing a move away from the reliance on this most traditional factor.”
Given the new SCA method will need applying to a range of existing and potentially disparate channels, banks could in fact be about to experience a new set of security and integration issues. There’s a wide range of use cases to contend with and different demographics are likely to be familiar with different authentication methods. Some don’t have access to smartphones, for example, while others don’t use banking apps.
As consumers become used to being prompted for credentials in situations other than direct online banking services, the opportunity for a new variation of phishing attacks and the orchestration of false authentication journeys will also no doubt be taken advantage of. This potentially exposes consumers to a new wave of frauds and scams that don’t exist today, despite the key intent behind PSD2 being to reduce those risks.
In summary, PSD2 will force stronger customer authentication onto end users and it’s imperative that banks/FSIs use the correct combination of tools and techniques to ensure customers remain safe and secure online as well as in‐store, without ruining the customer experience.
Giesecke + Devrient are specialists in the field of mobile authentication and have a proven, PSD2 compliant SCA solution that can be deployed quickly and cost‐effectively.