Traditional browser-based online banking will eventually lose market share to mobile devices with the ability to perform real-time transactions. While cash is currently the most direct way of paying for products and services, it could soon be a thing of the past. Michael Lynch, Chief Strategy Officer at InAuth, writes

The terms PSD2, EBA, 2FA, and Article 97 might appear at first glance to be typical regulatory jargon, but make no mistake; they have huge implications in the world of digital payments. What do they all mean?

The European Banking Authority (EBA) is poised to issue a new round of regulations and requirements in their annual Payment Services Directive (PSD2). This edict regulates payment services and payment service providers throughout the European Union. In short, it is a big deal. As written, PSD2 extends and accelerates many of the existing trends in European banking and online retail. This includes regulations encouraging non-traditional parties to participate in payments and accelerates competition within the banking com-munity through multi-banking.

In this new PSD2 system, users will interface with banks through portals that consolidate all of their banking accounts, thereby forcing the banks into commodity-style competition. These trends are good news for consumers but have got security professionals on edge. The pros know a network is only as secure as its weakest link and the introduction of third party portals could potentially compromise it for everyone. With this in mind, Article 97 of PSD2, due out in a few months, is expected to require strong two-factor authentication (2FA) on all online transactions.

The importance of strong 2FA

2FA is a method of confirming a user’s claimed identity by using a combination of two different components. These com-ponents may be something the user knows, possesses, or an attribute that is inseparable from the user’s identity. Using a combination of two components from this list forms the backbone behind strong security. A good example of 2FA in everyday life is withdrawing of money from an ATM. Only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

However, this form of 2FA constitutes relatively weak security and is ineffective against modern threats like phishing and malware. In an effort to stay ahead of fraudsters, modern security standards follow more stringent requirements that rely less on tem-porary identifiers and knowledge that can be guessed. Instead they use more permanent attributes associated with users that cannot be easily changed, altered, or guessed.

The highest form of 2FA security includes the use of biometrics such as finger print or eye scans to ensure the 100% authentication of users. However, since this technology is not yet widely commercially available, 2FA is expected to be made up of the next best thing – a combination of inalterable attributes asso-ciated with the users’ electronic device.

This change represents a major opportuni-ty for mobile technology because the unique identifiers associated with a mobile device can be combined to form security that is stronger than a browser on a PC. Fraudsters just can’t fake it. This unique identifier can then operate as a secure token, authenticating the user’s true identity, adding a layer of security that protects the organisation—as well as their respective customers—during any customer transactions on the device.

Strong security enables frictionless

Financial institutions and online retailers have a conflicted relationship with these pre-dicted changes in security regulations. On the one hand, they realise PSD2 is a good mechanism for reducing fraud. On the other, they expect the new regulations and height-ened security will negatively affect their abil-ity to create a frictionless experience for their customers. Based on past experience, this fear of slow-ing down transactions is understandable.

To many organisations, tighter security means more forms for customers to fill out, more challenge questions, and more passwords for them to remember. Financial institutions and retailers know their customers don’t want these barriers; they just want their transac-tion processed. Slowing the process down unnecessarily is an irritation for customers that puts the entire transaction in jeopardy. In this new paradigm of using permanent device IDs, security enhances the customer experience rather than deterring it.

What makes this possible is that the mobile device itself can serve as a unique identifier. When handled in this fashion, we can look at cybersecurity as a transaction enabler that enhances customer service, rather than as an existing as a barrier. The two no longer have to be mutually exclusive. In the future, cyber-security will aid and assist in the comfort of the user by remaining in the background, quietly greasing the wheels of the transaction.

Positioning for the cashless economy

Organisations that comply by using mobile as a secure 2FA token will be far better posi-tioned for the cashless economy. The chal-lenge will be dealing with the elimination of the lag time that has traditionally been in place for suspicious transactions. Electronic payments have typically required a manual review of potentially fraudulent transactions. That will no longer be the case.

Clearly, a move to faster payments is something everyone – consumers, business-es, financial institutions, and governments – wants to happen. While cash has always been the most immediate form of payment, it is an expensive instrument. The US spends $200bn to keep its cash system working and, according to the European Central Bank, the total cost of cash in the European Union is 1% or more of GDP.

Stronger authentication models put in place now are key to enabling faster pay-ments, eliminating the processing lag and executing the transaction in real-time. Many of the anti-fraud tools and processes used by banks are either performed manually, or are geared around having a built-in time delay. These slower payments processes give insti-tutions more time to detect and prevent pos-sible fraud.

Customers won’t be satisfied with delays. Strong device authentication and risk assess-ment is necessary. Many experts, including the consulting firm Deloitte, are predicting that cash, while still the fastest way to pay for something, could become a thing of the past, with real time payments as its successor.