A recent meeting I had with a major Analyst firm confirmed my suspicions on the poor state of readiness of online merchants in view of the upcoming PSD2 SCA deadline. Research back in March suggested that 25% of merchants were unaware of the requirements with the majority unsure of whether they’d be ready for the September 14 deadline. Whether this is down to the fact that progress overall towards open banking in the UK has been lacklustre, or whether there is still confusion around the directive spanning various countries and deadlines, it’s not clear.
As fraud looms larger, keeping customer transactions safe and simple is mandatory, for both regulation and reputation
In order to ensure that customer data is kept secure as fraudulent activity becomes more prevalent, adopting a stronger approach to customer authentication goes beyond regulation and into basic security hygiene. In light of today’s constant and continual flow of data breaches, keeping consumer data safe without impeding the payment process is the goal. Billions of breached credentials are in circulation, and simply relying on passwords as sufficient for proof of a user’s authenticity is woefully inadequate.
The building blocks of stronger customer authentication
Strong Customer Authentication (SCA) ensures that a combination of two factors are used from a choice of three, to strengthen and secure payments transactions in a customer-friendly way. Knowledge, possession and inherence are the three ‘factors’ or means of identifying a customer’s authenticity; relying on something they know, something they and/or something they are. Biometrics – whether face, voice or other – have been embraced wholeheartedly by consumers as a way to secure devices and access secure applications, so it makes sense for their role as the third factor for stronger authentication.
Combining two factors – such as something one has (a secure device) and something one is (via face, voice or fingerprint for example) is far stronger than a single factor. Knowing a password is binary – a yes/no input, yet catastrophically organisations still place too much emphasis on this as a security indicator. Coupled with the fact that consumers have a low tolerance to security, often reusing passwords across multiple sites for convenience, it is no wonder that many companies are looking to ditch passwords for good.
The PSD2 SCA deadline is driving the risk-based decision making paradigm
In recognition of the issue, organisations today have moved to a risk-based rather than rules-based authentication model, using advancements in biometric technology to build more complex risk-based calculations that can be more accurately modelled around the normality, size and impact of a transaction. Lower acceptance thresholds can now be put in place for example for smaller or more ‘normal’ payments, whereas larger or unusual transactions have a much more stringent threshold. This all makes it easier for the customer to make payments simply and securely, with minimal impact.
Of course, fraudsters are quick to adapt too. Technology has needed to evolve to ensure that high quality images or videos cannot be used instead of a person’s face, with liveness checks and anti-spoofing technology now inbuilt into quality biometric authentication products.
Staying ahead of fraud in a user-friendly way with triple factor authentication
Strongest of all of the myriad vendor solutions available will be those that go beyond simply two factors, and combine all three: knowledge, possession and inherence into a single, PSD2-compliant step. Checking the integrity of the device, as well as the knowledge – in this case, a PIN – in combination with a biometric authentication step, uses all three factors in a single user-friendly process. That’s why we have partnered with MYPINPAD to provide the Inherence factor into its leading device plus PIN solution. Triple factor authentication is now available through a PCI SPoC (Secure PIN on Consumer off the Shelf Device) platform, and its developer sandbox means that a best-in-class solution that’s fully compliant with PSD2 iis ready for testing and deployment right now.