After years of delays, the UK has finally joined France, Germany, Italy, and Spain in mandating full compliance with Strong Customer Authentication (SCA) under PSD2 regulations in a drive to tackle online payment fraud, writes Neil Smith
Implementation of SCA compliance has been patchy from the start, with the European Banking Authority permitting national central banks to delay due to the complexity of integrating multi-factor authentication into payment processes and a lack of merchant preparedness. The UK was not the only country to initially delay implementation, though it was the last to fully achieve it.
Now, however, the rate of technological development and increasingly sophisticated customer expectations means that the tools and techniques designed to authenticate genuine transactions and prevent fraud under PSD2 appear inelegant and outdated. As is characteristic of the technology regulatory environment, no sooner has a regulation been implemented than it becomes obsolete – or at least not fit for purpose.
Enter PSD3, the next iteration of the regulation and the subject of much debate. The challenge for the payments ecosystem is to seize the initiative and take an innovative and forward-looking approach to SCA under PSD3, ensuring it is valid over the long term by integrating advanced solutions and solving some of the challenges that PSD2 struggles to address.
Friction in the customer journey = frequent failure
There is no denying that improved security and anti-fraud measures were a critical component of PSD2. The original 2007 Payment Services Directive was designed to integrate the European Payment Market more closely and improve security for European customers in the digital era.
However, it became clear that the original regulation was not sufficiently robust to protect customers undertaking online and mobile payments and, as a result, the requirement for SCA became a component of PSD2, which was originally introduced by the EU in 2015.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataHowever, the consequence of mandatory SCA as defined by the regulatory technical standards of PSD2, is friction in the customer buying journey. Multi-factor solutions such as one-time-passcodes, for example, add further steps to the process, increasing the burden on customers and raising the likelihood of purchase abandonment. This leads to a drop in completed transactions and a consequent loss in revenue opportunity for merchants.
According to a recent Nationwide survey, one in five shoppers abandoned their basket due to the need to verify the purchase through their mobile banking app, for reasons such as not having access to their phone, or no Wi-Fi signal.
On the threat side, the need for more effective fraud prevention is an equally powerful driver. According to Juniper Research, global online payment losses stood at $20bn in 2021, an 18% increase year on year. Similarly, a report from the European Central Bank found that 80% of the value of card fraud in 2019 resulted from Card Not Present (CNP) transactions, creating an estimated €1.5bn in fraud losses – and this was prior to the pandemic.
The pandemic-accelerated shift to eCommerce prompted has increased the volume of opportunities for fraudsters, and the more sophisticated operators are more than capable of circumventing two factor authentication (2FA) by spoofing mobile phone numbers to intercept the one-time-passcodes needed to verify transactions. We are also seeing fraud-as-a-service proliferating as sophisticated actors monetise their abilities, offering simple access for low-skilled fraudsters.
Consequently, PSD3 must simultaneously raise fraud prevention capability to a level commensurate to the escalating threat, but crucially without compromising the buying experience for genuine customers. It should add a level of flexibility for the entire payments ecosystem, allowing customers and merchants control over how transactions are secured. And the speed at which the eCommerce environment is evolving strongly suggests that PSD3 should be scoped and defined as quickly as possible, to avoid becoming obsolete before it can be implemented.
Key considerations for PSD3: analytics, biometrics, and behavioural science
On the issue of reducing friction for customers, the most elegant solution is to remove them from the authentication process as far as possible.
This sounds counterintuitive, but even under the terms of PDS2, card issuers can exempt transactions from SCA where their risk analysis tool determines that they are low-risk. If sufficient intelligence can be gained about the customer, for example by using advanced identity graphs, analytics and machine learning to identify genuine customers based on their history, then the proportion of transactions that can be safely permitted without requiring further authentication steps can be increased considerably. This will create a frictionless experience for more customers, resulting in more successful transactions, more revenue for merchants, and greater customer satisfaction.
Biometric authentication is another route to reducing friction for customers. Factors such as facial, voice, and fingerprint recognition are becoming increasingly deployed as security tools for international travel, for example. As they become familiar to customers, they can smooth the authentication process considerably. We are already seeing major retailers experimenting with biometric solutions, such as ALDI’s trial store in Greenwich which delivers a checkout-free experience using cameras linked to an app to track the products picked up by a shopper and facial recognition with age estimation to authorise age-restricted sales such as alcohol.
The value of behavioural science-linked solutions
More nuanced biometric features based on behavioural science, such as keystroke dynamics, the angle at which a payment service user typically holds their device, or the way they use their mouse, should also form part of PSD3’s permitted customer authentication procedures. These identifiers can be used in conjunction with contextual factors such as IP addresses and geolocation to verify genuine customers without adding unnecessary steps.
Behavioural science-linked solutions are particularly valuable when authenticating mobile device transactions, an area of fast-growing importance given that global m-commerce sales rose 15% in 2021, reaching $359bn.
The beauty of behavioural science tools used in conjunction with biometrics is that the more they are used, the more they learn, gaining a more accurate picture of genuine user behaviour. This means buyers should encounter fewer identity challenges over time. They are also far harder to spoof, creating a greater barrier for fraudsters and thereby achieving the goal of enhanced customer and merchant protection.
A note of caution, however, behavioural and biometric data is intensely private information – it is not something the user can change in the event of a breach, like a PIN or password – therefore its use must be regulated and protected with the highest levels of security as a loss could be catastrophic in terms of identity theft.
Biometrics and behavioural science-based solutions shouldn’t be seen as a silver bullet for authentication. To build confidence and ensure trust it is more likely that biometrics will become one component in a highly sophisticated multi-layered customer verification approach, albeit one that will undoubtedly help smooth the process and reduce friction considerably.
As the industry debates the shape of PSD3, it is crucial that it has scope for the inclusion of advanced and emerging technologies for customer authentication and fraud prevention in order to be fit for purpose and avoid becoming obsolete before implementation. By taking an innovative, forward looking approach, the industry can gain greater control and flexibility over how it manages fraud prevention, simultaneously ensuring better customer experience, and leading to greater loyalty and revenue for merchants.
Neil Smith is Head of Strategic Partnerships, Forter
More of this topic from GlobalData:
Top trends impacting cybersecurity in 2022
Why does cybersecurity matter for businesses?
GlobalData thematic team podcast: The Colonial Pipeline Cyberattack: one year on
Cyber Security Market Forecast & Industry Insight