By Natasja Bolton, Acquirer Support Manager
In our December Ecommerce article we discussed the European Banking Authority’s (EBA) new guidelines for the security of internet payments and the possibility that, with the need to enhance protection of consumers against online payment fraud, presenting Payment Service Provider (PSP) hosted payment pages in iFrames may no longer be acceptable.
In this article we explore another of the EBA guidelines’ consumer protection objectives, strong customer authentication – the need to robustly authenticate the identity of the cardholder or consumer to further protect the user from fraudulent or mistaken payment transactions.
Both the EBA guidelines and the new EU Payment Services Directive (PSD2) include the obligation for Payment Service Providers and other impacted financial entities to apply strong customer authentication.
What is strong customer authentication?
|Strong authentication is based on the use of at least two of the following factors:
Note that this definition of strong customer authentication differs from the more general IT definition of ‘two factor authentication’ as the ECB (European Central Bank) requires strong authentication to be traceable back to an individual (or company) so that they can be identifiable in accordance with Anti-Money Laundering/Counter Terrorism Funds laws.
Strong (or strong customer) authentication is an authentication process that validates the identity of the user of a payment service, or of the payment transaction (more specifically, whether the use of a payment instrument such as a savings, debit, or credit account is authorised).
A suitable strong authentication solution would typically incorporate something the customer possesses such as a private key (assigned by the payment application), and something the user is, such as their fingerprint.
The EU requirements for strong customer authentication
The EBA’s ‘guidelines for the security of internet payments’ require the protection of, or support for, strong customer authentication:
- For the initiation of internet payments;
- For access to sensitive payment data;
- Of the cardholder by all card issuing PSPs, for card transactions;
- By PSPs offering acquiring services, to allow the issuer to perform strong authentication of the cardholder;
- By online ‘e-merchants’, to allow the issuer to perform strong authentication of the cardholder for transactions via the Internet.
PSD2 obliges PSPs (and, where relevant Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs) to apply strong customer authentication where the payer:
- Accesses his/her payment account online;
- Initiates an electronic payment transaction;
- Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses, including online or mobile payments.
In order to help service providers meet these obligations, PSD2 requires the EBA to develop Regulatory Technical Standards (RTS). The draft RTS are planned to be published in Summer 2016. On its release, the draft RTS will give a better insight into what the PSPs, PSPs offering acquiring services and their merchants will need to implement to deliver strong customer authentication from January 2018 when the PSD2 will apply.
How is it expected strong customer authentication will be delivered?
In the absence of those guidelines, how might strong customer authentication be delivered? The Sysnet article ‘Biometrics: the Future of Mobile Payments?’ discussed the potential for biometric identification technologies to be used to reduce fraud and financial crime through strong consumer authentication of transactions.
The signs from the payments industry are that biometric authentication is indeed the likely way forward to deliver a reliable second authentication factor for customers.
The research group, Juniper, in their recently released ‘Top 10 Disruptive Technologies in Fintech 2016′ predicted that biometrics will be the top disruptive technology in digital payments this year.
Biometric authentication is already successfully in use for face to face payments, being used by both Apple Pay and Samsung Pay, and will soon be available to HSBC online banking customers; it is expected that further innovation will be triggered by these proven implementations of biometric authentication.
Recognising this, both the Juniper report and another research group, Tractica, predict a surge in the financial sector’s interest in developing use cases for and deployments of biometric authentication in the short and medium term.
Sysnet expect that, rather than wholesale replacement of existing customer authentication mechanisms with entirely new technologies, support for strong customer authentication will be incorporated into existing customer authentication mechanisms as the next natural step in their development.
3D Secure already exists as the means by which cardholders are required to provide additional authentication information when making a purchase online. To meet the EBA and PSD2’s requirements, it is expected that this existing mechanism will be updated to include support for the additional authentication factors necessary to deliver strong two-factor authentication of the consumer.
The update to the protocol specification, 3D Secure 2.0, is also due sometime in 2016.
Given industry predictions this is likely to include support for the use of biometrics as the additional authentication factor; however, as we discussed in our previous article, biometrics are not a ‘silver bullet’ and will need to be just one of a number of secure methods by which two-factor authentication of the consumer can be achieved.
Biometrics have many benefits such as always being ‘available’ to the consumer but they also have the disadvantage that they can only work when the consumer is interacting through a device able to capture/scan that biometric factor and authenticate it.
Therefore the customer authentication mechanism will need to offer an alternative for online purchase scenarios where the capture and verification of the consumer biometric factor is not possible.
For example, use of a ‘something you have’ factor such as receipt of a security code to the consumer’s registered mobile or home phone number, for consumer submission into the e-merchant payment page.
It is expected that issuers (or the account servicing payment service providers, the PSP needing that additional level of assurance of the identity of the customer initiating the transaction) will drive the development of strong customer authentication mechanisms to the RTS defined by the EBA.
How can you help your customers?
PSPs offering acquiring services have an obligation to ensure that their merchants are fulfilling the technical security standards required by the EU legislation. Sysnet recommend that you consider now how you can assist your ecommerce merchant base implement the additional security mechanisms that are already available to them to improve online payment security.
We believe you should be actively encouraging acceptance and adoption of the existing customer online authentication measures (i.e. the current implementations of 3D Secure 1.0: Verified by Visa, Mastercard SecureCode, etc.) across your entire ecommerce merchant base. This will require merchant awareness and education to drive adoption.
By encouraging your merchants to take on and adopt the security measures already available to them for online customer authentication, you will be helping to ensure that merchants are prepared and ready for the transition to whatever comes along to replace it to meet the EU’s requirements for improved online payment security, including strong customer authentication.
You need to take steps now to help ensure your merchants can securely take advantage of the new and flexible world of online digital payments that the PSD2 seeks to promote and support.
What are the consequences if customers do not implement support for strong customer authentication?
Visa Europe’s document ‘Securing Internet Payments’ summarises the strong customer authentication mandate contained in the EBA guidelines and PSD2. The document also describes the consequences should acquirers fail to ensure merchants are able to support strong customer authentication (the flexibility for which will be specified in the EBA’s RTS):
“According to PSD2, the liability for an unauthorised payment transaction is allocated to the payment service provider (Issuer or Acquirer) or the payee (merchant) that failed to support SCA”. This follows the current liability shift in the 3D Secure authentication model.
If you are a merchant that requires technical or PCI DSS help, please click here