In 2015, the European Union (EU) passed Payment Service Directive 2 (PSD2), revising existing regulations aimed at regulating payment services and payment service providers within the EU and European Economic Area (EEA). PSD2 is meant to create better consumer protection in online payments. Specifically, PSD2 requires banks to open access to customer accounts for third-party providers through an application program interface (API). This will create innovation as new online and mobile payment platforms business are developed through open banking. The goal is to make cross-border payment transactions safer, easier and more convenient within the EU. Fraud prevention services will help make this happen.
PSD2 has been broken up into phases. Phase 1 of PSD2 came into effect January 2018 and requires EU countries to pass legislation that provides transparency and security requirements for all electronic payments. Phase 2, which goes into effect September 2019, requires payment service providers to implement the security requirements passed in Phase 1.
Fraud Prevention Services as a part of PSD2
Strong Customer Authentication (SCA) is a mandatory security requirement that has been implemented by EU states in Phase 1 of the Payment Service Directive 2. It mandates that businesses use two independent authentication elements to verify customer payments. Payment providers can choose between authenticating users through:
- Something the customer knows (i.e. password or PIN)
- Something the customer has (i.e. license or mobile phone)
- Something the customer is (i.e. biometric fingerprint scan or face scan)
Ultimately SCA is meant to reduce fraud rates in customer-not-present transactions. It is a security measure that must be implemented by payment service providers. Businesses must make sure that SCA compliance is met by their payment service providers or risk fines for noncompliance. They must also ensure that SCA is implemented in such a way that it meets regulatory technical standards for PSD2 without creating unnecessary friction during checkout for customers.
Breaking Down SCA Requirements
Under Strong Customer Authentication requirements, payment providers are able to authenticate users with something the customer knows, otherwise known as knowledge-based authentication (KBA). As previously discussed on this blog, passwords, PINs and security questions have become less secure over time. For example, consumers ages 55 and over have an average of 23 passwords while consumers ages 18-20 have an average of 5. With this information easily available through data breaches on the dark web, it suggests that can easily gain access to customer accounts and bypass security measures that rely on passwords or other KBA methods. This suggests that businesses should not rely on KBA to maintain the security of their accounts.
SCA also allows customers to use something they have, two-factor authentication, to authenticate themselves during a transaction. This can include a license or a mobile phone. It has been proven that criminals can intercept data during two-factor authentication to gain access to a customer’s account. They can also perform phishing attacks to achieve the same outcome. This is also not a great method for securing customer accounts.
Under SCA, customers can authenticate themselves during a transaction with something they are, biometric data. Biometric data, although not perfect, is the most secure method out of the three. It requires a great deal of effort from cybercriminals to bypass, such as creating a 3D replica of a fingerprint. For most ordinary consumers, cybercriminals will not be inclined to bypass biometric identity measures.
Is SCA Strong Enough
One of the main problems with PSD2 is that it allows for the use of outdated fraud prevention services. As we are all too familiar with, data breaches have happened throughout the world in increasing numbers because of these outdated measures. Although PSD2 has good intentions, it does not fully address the modern security problems that businesses face concerning consumer data protection. The question becomes, do regulators want businesses to simply meet PSD2 requirements or actually work to prevent fraud?
SCA requires businesses and payment service providers to use two of the three above stated measures to be compliant. Nevertheless, two of the three mentioned methods are not sufficiently effective at fighting fraud and mitigating risk in this day and age. If a company chooses to perform KBA and two-factor authentication, for example, as their means of meeting SCA compliance, they are at risk of serious attack from cybercriminals.
SCA should force all businesses to use biometric authentication in their security procedures. From there they can add on another of the two methods to create a layered approach that meets real-world standards for security. It will be more difficult for a criminal to cause fraud in a system that uses this type of multilayered approach. This is because it is unlikely for them to be able to bypass multiple security measures compared to just one.
Conclusion
At IDMERIT, we specialize in authenticating users during the onboarding process. In the process of online account opening, we can verify and validate new customers through our IDMkyc and IDMscan services. While this is our main focus, we do provide a fraud prevention service, IDMdevice, that helps fight fraud during the transaction process. IDMdevice helps use behavioral biometric data and device data to determine if a device is at risk of committing fraud. This type of technology is perfect for businesses looking to be Payment Service Directive 2 compliant.
