- Thierry Spanjaard
Strong Customer Authentication becomes the norm
While Trustech coverage is evolving along time, payment is still in a central place among the subjects of interest of visitors and conference organizers alike. Today, focus was put on the evolution of SCA - Strong Customer Authentication - which is part of the PSD2 (Second Payment Services Directive) mandate. Different panelists from European authorities, government bodies, financial institutions and private stakeholders were bringing their experience and point of view about consumer authentication to the audience.
The goal of the regulation is both to reduce fraud and to improve consumer confidence. SCA is a core part of the payment industry’s toolbox to reach these targets. Payment players all over Europe have invested a lot to make SCA a reality. Previous methods, such as 3DSecure are now marginalized and two-factor consumer authentication has become the rule for most transactions all over Europe.
However, there is still room for improvement.
For instance, two-factor authentication almost always involves a smartphone. Unfortunately, we cannot take for granted that all consumers are equipped with a smartphone. Solutions have to be found to improve financial inclusion and provide alternative options to those who either have feature phones or do not use a phone at all.
In the eternal race between robbers and policemen, it is interesting to notice that when more steps are imposed to secure transactions, the result is not only an improvement in terms of security but also an extremely fast move by fraudsters to new attack methods. For instance, along with the implementation of SCA, stakeholders have noticed a growth in phishing attempts that try to get control of the authentication means, fraud triggered by an increase in MITs (Merchant-Initiated Transactions), malicious use of exemptions such as the ones given to the Travel and Hospitality sector, fake back-office calls to cardholders, social engineering, …
While all European Member States have now reached a satisfactory level of SCA implementation, which translates in a global security improvement of all transactions, this has taken place as a juxtaposition of national solutions. As a consequence, cross border transactions, are now less seamless than they were before the implementation of SCA, leading to a higher rate of purchase abandonment.
SCA has also brought a change in the balance of power between different stakeholders. In the past, most merchants were conducting their own risk analysis, and most transactions were completed without requiring an authorization. Now, with PSD2 enforcement, the decision to approve a transaction is in the hands of the issuer, which means that merchants are losing a part of their consumer relationship management.
We are only at the beginning of the payment evolution process. More changes are to come, including an increasing role of biometrics, not only fingerprints, but also voice and behavioral biometrics. Also the integration between digital ID and payments is undoubtedly becoming tighter: when authentication methods become more widespread, the payment industry has always more reasons to use them.