The European Union’s revised Payment Services Directive (PSD2) has been in effect for over a year now, but in a few months the next phase of the regulation will kick in – strong customer authentication (SCA).
It builds on the existing rules which have so far seen financial institutions be required to open up access to the customer data they hold – allowing third parties with permission to access and use that information.
The introduction of PSD2 was designed to boost innovation and customer protection across European financial services and while there has been a lot of emphasis on innovation in the first year, particularly with open banking in the UK, attention now turns to security and fraud prevention.
In a 2017 statement detailing the new legislation, the European Commission said: “A key objective of PSD2 is to increase the level of security and confidence of electronic payment.
“In particular, PSD2 requires payment service providers to develop strong customer authentication.
“The rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users’ financial data, especially relevant for online payments.
“They require a combination of at least two independent elements, which could be a physical item – a card or mobile phone – combined with a password or a biometric feature, such as fingerprints before making a payment.”
The deadline for SCA implementation across Europe is September 14 and banks are hard at work to make sure they are compliant in time.
What will PSD2 strong customer authentication look like?
In short, SCA will mean the introduction of a two-factor authentication process for any online transaction over €30 (£25) – whether that is a bank transfer or a simple bit of internet shopping.
Philip Bonhard is the customer experience lead for digital security at Lloyds, and spoke at the Finovate Europe conference in London earlier this month about how SCA is going to have an impact.
“Until recently, passwords and usernames have been the way we do security – but providing credentials once is no longer going to be enough,” he said.
“You are going to need two out of three of the following – something you know, something you have, and something you are.”
The something you know might be a password or some memorable information, the something you have could be a phone or tablet, and the something you are refers to biometrics – like voice, fingerprint or facial recognition.
Whatever the combination of factors, people will soon have to get used to regularly taking an extra security step when transferring money online – and banks will have to design and introduce new facilities on their payment platforms to enable this.
Why has PSD2 strong customer authentication been introduced?
Most people will be familiar with two-factor authentication in some shape or form – chip and pin cards are a common example of needing both the physical card alongside the remembered four digit passcode.
But online payments have hereto been more fluid in nature, often requiring only a username and password to validate transactions.
Figures from the European Central Bank show that card-not-present fraud – a term that refers broadly to cases of online payment fraud – is now the most prominent type of card fraud across Europe.
In 2016, it accounted for 73% of the €1.32bn (£1.13bn) total value of card fraud losses in the Single Euro Payments Area (SEPA) – a 2.1% increase on the previous year.
PSD2 and SCA are an effort by European policymakers to shore up digital payment infrastructures across the union, and reduce the exposure to fraud in online money transfers.
Banks need to educate customers about PSD2 strong customer authentication standards
While the likes of Starling, Monzo, Revolut and N26 may have an easier time adapting to SCA given their fintech credentials and digitally-minded audiences, all banks big and small will face challenges in delivering the upcoming regulations.
Creating the tools needed to become compliant will no doubt take a significant amount of time, effort and budget for developers between now and the September deadline.
“Banks are working feverishly to get two-factor authentication implemented across the entire ecosystem,” said Mr Bonhard.
But he also described a particular problem for the larger banks as being the scale and diversity of their users, and the need to introduce SCA to customers with different backgrounds and specific needs – such as the elderly or disabled.
Mr Bonhard outlined some key design principles that guide how Lloyds is approaching its SCA implementation – including simplicity and accessibility, onboarding and education, and ownership of security.
Above all, the extra security step needs to be clear and easy to navigate, but it is also necessary to increase customer awareness of the need to be more vigilant online.
He said: “SCA, two-factor authentication, and digital security are going to be new to many people, and we need to tell them about this in a way that doesn’t make their eyes glaze over.
“Customers need to have clarity and we need to make it as easy as possible for them to understand how it works and talk to them in ways they recognise, without the jargon.
“In the digital world we now live in, people have to take ownership of how they manage their digital security. They will have a much more active role to play.”
So technology development aside, the big challenges for banks are going to be in educating the public about the new security measures, as well as making sure they understand why extra steps are necessary, and encouraging people to be more vigilant with their online data.