The big fight brewing over strong customer authentication
Late last year, Visa fired a volley – unlikely to be the last – over new rules that it and all providers of online transactions will soon need to follow as part of the EU’s revised Payment Services Directive (PSD2).
Soon, the European Banking Association (EBA) will reveal the exact Regulatory Technical Standards (RTS). Even before these standards are published and a timetable to implement them is in place, Visa has some doom-laden predictions.
PSD2: far reaching implications
For many big banks and other financial services providers, the work to deal with the implications of PSD2 is already well under way. When these standards are finalised, it will start an 18-month countdown for compliance and adoption across all member states.
What has become apparent in the last few months, is that PSD2 has far wider implications than many had originally considered. Initial conversations centred on how the regulation would open up access to bank accounts and the potential disintermediation of traditional financial institutions. Now the debate has shifted. It’s not just big banks that need to comply, but payment service providers, e-commerce companies, money transfer organisations, P2P lenders and a host of other organisations – including cards schemes. And these firms are vehemently protesting the Strong Customer Authentication (SCA) rules proposed as part of the RTS.
Why would card schemes be worried about SCA? There are reasons they would want to resist PSD2 altogether, as it opens up bank accounts for direct access through instant payments, meaning that payments no longer need to use card scheme’s “rails” and can be bypassed completely. But there is also the experience they and their customers have had with authentication, which is far from positive.
The end of one-click checkouts?
According to Visa and other parties, the RTS imposes an interpretation of SCA that would severely damage businesses. Regarding SCA Visa has said that “if confirmed, will cause inconvenience … with no benefits for consumers” and is “a significant threat to future innovation and Europe’s future growth”.
Many payment service providers operate a risk-based approach to authentication designed to prevent fraud but not put off valuable customers.
Under the rule, they will be forced to deploy two-factor authentication which can often be onerous, resulting, they argue, in devastating effects on their businesses and the merchants they serve. One-click checkouts would become a thing of the past, many more purchases will be declined and queues at tollbooths will be overwhelming. You can understand their concern.
Linguist Noam Chomsky used the phrase “colourless green ideas sleep furiously” to illustrate how a sentence could be both grammatically correct but also complete nonsense. The banking equivalent could be “I’m pleased to be challenged by 3D Secure again”. As a sentence it works, but no one has ever thought it and no one would ever recognise it as a thought anyone in their right mind could have.
With 3D Secure, it’s no wonder that Visa sees additional authentication as something to be feared and resisted at all costs. But the problem with this technology is that it requires users to remember a password that they only occasionally use. For many, the user experience of using Verified by Visa will actually be the arduous process of resetting a forgotten password, turning what should be a simple process into something more like an ordeal.
So Visa is right to be worried if it continues down the path and has all payments over €10, not just online purchases, subject to such a challenge. Given the choice between a payment using a debit or credit card or an instant payment direct from a bank account, most customers will opt for the latter if it’s simpler.
As the implications become better understood, there’s a suspicion that a big effort will be made to delay this, with heavy lobbying from some of the industry’s biggest players. Visa’s scaremongering, including a poll that suggested half of consumers would just abandon transactions if more steps were included, is just part of this effort.
SCA should be embraced, not feared
Even though industry leaders will be lobbying for watered-down legislation, they seem to be preparing for the worst, by making strategic acquisitions that could help them meet the demands of SCA. Visa has acquired Cardinal Commerce, a US authentication provider specialising in cardholder not present transactions, and American Express has bought InAuth to help beef up its security.
So while Visa and others are pushing back on the adoption of SCA and have said that they are willing to bear the fraud costs of not implementing it, they are also hedging their bets by preparing for the regulation to pass in its current form.
The smartest payment players and merchants will embrace stronger authentication and market it as a benefit for consumers. Consumers are more than happy to access their devices and secure transaction with short PINs and, increasingly, use fingerprints, eye scans and facial recognition. These authentication methods meet the requirements of SCA without overburdening the consumer and inviting shopping cart abandonment.
SCA, as a concept, is not something that should be feared or derided. But certain approaches to it, those involving passwords and poor user experiences, should be avoided. The industry as a whole is embracing the long-overdue security and protection that SCA brings. But it should also commit to implementing it in a way that means consumers are not hindered with onerous experiences.
Scaremongering about tollbooth queues reminds us that we should take authentication as seriously as other safety advances – it takes an extra step for drivers to put on the seat belt, but they would not buy a car without one now.
By Thomas Bostrøm Jørgensen, CEO of Encap Security