The deadline for implementation of PSD2‘s Strong Customer Authentication (SCA) for online banking is just under a month away.
Companies processing contactless payments will need to meet the conditions by the 14th March 2020. This would include ensuring that all appropriate systems and controls are in place.
Additionally, this date marks a six-month delay for the deadline in order to usher in an adjustment period for third-party providers (TPP) to begin only accessing Account Servicing Payment Service Providers (ASPSPs) via application providing interfaces (APIs).
How can organisations take advantage of the API economy?
However, until security of consumer data is tightened up as much as possible with the aid of the SCA initiative, it could still hang in the balance.
Jason Tooley, chief revenue officer at Veridium, shed some light on the importance of Strong Customer Authentication when it comes to the security of consumer data.
“A failure to implement Strong Customer Authentication demonstrates a disregard for consumer protection,” he said. “The ever-rising fraud levels are linked to the consumer preference of mobile e-commerce, and regulation must keep pace.
“Now that businesses have had an extended period of six months, in addition to the two years since the initial announcement, there is no excuse to not be compliant.
“Strong Customer Authentication should have been prioritised long ago and viewed as a business differentiator.”
SCA using APIs
It’s important for businesses to implement changes to security in line with SCA without harming the customer experience, especially that of the rising amount of customers shopping using mobile devices.
“Mobile phones are already an integral part of the online customer journey, and Strong Customer Authentication doesn’t need to be a clunky, disruptive addition to the customer experience,” said Nabeel Saeed, senior product marketing manager at Twilio. “In the financial space, where fraud and cyber attacks have been front and centre for many years now, companies have already been looking at various authentication methods and have generally settled on mobile app-based push-authentication as the best means of doing so.
Why mobile-first is crucial for omnichannel retailers
“This is because, unlike other forms of 2FA, it only requires a single touch from the user to approve/deny a transaction and can be done in a company’s existing application.
“Using APIs, retail businesses can follow their financial services counterparts by making PSD2-compliant additions to their current model, improving security without negatively impacting the customer experience.”
Hard and soft authentication
One way to go about efficiently applying customer-friendly SCA could be to address a mixture of identity and behavioural factors.
This is according to Chris Stephens, head of fraud & security analytics at Callsign.
“To ensure their systems are ready for SCA, companies must use an authentication tool that incorporates both hard (facial recognition, fingerprints, iris scanning) and soft (behavioural characteristics e.g. how people type, move their mouse or hold their smartphone) biometrics,” said Stephens. “This will allow them to deploy the most appropriate authentication action for the user while maintaining a frictionless user interface, enabling customers to safely make transactions online.”
Customer experience experts say emotion drives behaviour as they herald the beginning of the Experience Age
The advantage of biometrics
The regulation will require businesses to offer authentication via two of the following three elements:
- Password or PIN number
- Smartphone or hardware token
- Bionmetric authentication
According to Simon Marchand, chief fraud prevention officer at Nuance Communications, the first option is the most risky.
“Today, organisations will be asking themselves: ‘How do we maintain compliance while – at the same time – reduce friction for our customers?’,” he said. “The answer to that is, in our opinion, the ‘something you know’ aspect should be avoided.
“PINs or passwords can be forgotten, often leading to a bad experience. Using biometrics such as voice makes for a seamless customer experience.
“They don’t need to remember something specific and can simply speak a sentence to be authenticated, and their voice can’t be stolen, unlike passwords.
“Deploying biometrics provides an opportunity for organisations to clearly sign-point their commitment to tackling fraud and safeguarding their customers’ information.”
Will biometrics replace passwords, or complement them?
The deadline for contactless payments and improved security for operations from third parties comes in advance of a complete deadline for all payment service operations and start of total active supervision on the part of the Financial Conduct Authority (FCA), which will commence on the 14th March 2021.