By Dr Stephen Topliss, Vice President Product Strategy at ThreatMetrix
With the formal deadline for adoption into law of the second Payment Service Directive (PSD2) passed in January, organisations in the financial services industry will already be taking steps to modify systems and processes accordingly. While aiming to make electronic payments far more simple, transparent and secure, as well as spurring a whole new level of innovation and competition in an increasingly mobile-first world, the new regulations will not be without their challenges. Arguably, the biggest challenges for banks and payment players won’t be innovative new services, it will be the security behind them.
The European Commission is changing the fundamentals of trust and security in the digital commerce space in its quest to drive eCommerce growth and reduce fraud, therefore the higher level of security mandated by PSD2 will require banks and businesses to adapt their systems and business models accordingly.
Although fundamental changes to how data must be handled will inevitably present operational challenges to overcome, the opportunity such sweeping reforms will bring cannot be overlooked. By forcing a time line and dedicated action in areas that might otherwise have been the subject of debate for years before any real change, regulatory change universally raises minimum standards for an entire industry.
Balancing fraud vs. risk – the unintended consequences of Strong Customer Authentication
The clear issue with the implementation of strong customer authentication (SCA)is that it can create undue friction and negatively affect customer experience. Therefore, the challenge– and even the opportunity – for organisations is to adopt solutions that meet the more stringent PSD2 security requirements while offering a user experience that requires minimal or zero additional user intervention.
The exciting thing here is that it is spurring on technical innovation among organisations – and the vendors that support them – to completely rethink authentication and identity verification. Going beyond a layered approach to security, organisations need a dynamic, responsive approach that seamlessly incorporates risk-based and strong customer authentication techniques in order enhance security and compliance, without taking a backwards step in frictionless authentication.
Integrated, risk-based and strong authentication techniques are required, and organisations evaluating changes as a result of PSD2 should favour SCA methodologies that need minimal user intervention, such as strong device binding or biometrics such as thumb print on mobiles, which are very familiar to users.
Risk-based authentication(RBA) is allowed for certain low-risk transactions, while payment service providers (PSPs) can also apply it more broadly if they’re able to demonstrate low rates offraud. While acceptable thresholds are aggressive, PSPs will benefit immensely from deploying a combination of SCA and RBA for fraud prevention while focusing on delivering low-friction services. The PSD2 Regulatory Technical Standards (RTS) are addressed to the PSPs, which means that the merchants can continue to apply risk analysis to transactions with their customers.
The new risks and rewards created by PSD2
Although PSD2 has been designed to enhance the overall security of digital payments, it does also bring with it some risk of specific kinds of fraud.
For example, implementing PSD2, and its associated increased demands on customer authentication, could result in higher demand on call centers from blocked payments and/or increased customer friction, as well as having an impact on the efficiency of automated monitoring systems which are not tuned and calibrated to the new payment schemes and fraud scenarios.
At the same time, by opening APIs, new players will be introduced in the ecosystem, which in turn drives a need for a 24/7 operation of fraud investigation teams, along with implementing real-time fraud transaction monitoring systems. It is also introducing new payment flows directly from a customer’s bank account, using third party providers, which exposes more routes for fraudsters to infiltrate. Initially, it is likely there will also be an associated increase in compliance costs due to lack of historical data in new payments channels.
Over the past year, there has been an increase in botnet activity for the purpose of account testing – in calendar year Q1 2018 alone, the ThreatMetrix® Digital Identity Network®saw anew quarterly record of one billion bot attacks, 100 million of which were from mobile devices. Essentially, this activity is a result of criminals creating automated processes to test out credentials that have become available thanks to the many high-profile data breaches we have seen in recent history.
Although any fundamental adjustments to how data is secured and handled carries with it certain risks, this must be balanced with the potential positive outcomes. In this case, PSD2 is driving organisations that are subject to the directive to very carefully consider their stance on security, and provides an opportunity to both overhaul existing measures, and go above and beyond the minimum requirements in order to differentiate from the competition. As a result, the situation has created a platform for innovation, as teams strive towards the most efficient and sophisticated solutions to meeting – and exceeding – the new requirements.
Supporting third-party ecosystem growth with enhanced security
While the new regulation is meant to enhance overall security, PSD2 also establishes a framework for the many payment initiation and account information services delivered by emerging FinTech providers that are linked to consumer accounts. Essentially, consumers and businesses can give third party providers (TPP), as well as payment initiation service providers and account information service providers, access to user payment data. The TPPs can be FinTech providers, non-traditional players or established banks, and their growth and evolution will have a long-term influence on the payment and commerce ecosystem. For example, organisations may experience less direct contact with their customers, as well as reduced insights into various data needed for fraud detection.
On top of PSD2, the implementation of GDPR means customers will have to give consent for TPPs to access/process their payment data, therefore TPPs will not be able to do anything beyond what is explicitly authorised by the customer.
A further concern about data privacy and management is not with regards to third parties – where banks still maintain a degree of control as to how the data is used – it is how the data is handled by fourth parties who access it, as it’s a completely unknown quantity. This issue remains to be solved, and in the near future we may see further standards and guidelines specific to fourth parties introduced.
All this being said, the fact that security and privacy will be at the forefront of any and all third-party access enablement considerations further supports the demand for enhanced and, crucially, unobtrusive authentication. Any security measures that introduce friction and delays into the end-customer experience will be unacceptable, so banking organisations and their technology vendors will need to work together on solutions that ensure the highest level of security, without compromising the user experience.
Domestic, EU and beyond
Since the RTS does not mandate the specific technologies required to meet new standards within each EU member state, businesses will need to ensure their systems are able to operate seamlessly, not just for domestic transactions, but throughout the EU and internationally as well.
Organisations will be well served to find partners that can help them meet RTS security requirements without heavy infrastructure costs or the need for additional staff. As organisations throughout Europe stand on the precipice of PSD2, many questions remain and many are still in ‘watch and wait’ mode. There is no doubt that the new regulations will be a driving force behind new platforms and ecosystems that lead to new business models, and it will be critical for established providers to decide how to take advantage of the opportunity and not be left behind.