How Strong Should Customer Authentication Be?


Offering payment solutions is high risk. Moving money always was and always will be. The development of card payments 55 years ago started with an embossed card and paper slips. It didn’t have great security, but it was fit-for-purpose. Over time, the card payment system has developed to allow consumers to make spontaneous payments for almost any value. Anywhere in the world. The simple proposition was updated with new technology and better controls (for example Chip and PIN), remaining fit-for-purpose to meet changing consumer and to combat criminal behaviour.


However, the same principles have always applied. Payments must be convenient and easy to use but with strong protection to maintain trust. And the system must be actively monitored to maintain control. This is Visa Europe’s approach and it has kept fraud at record low levels of less than 5 eurocents for every €100 spent (0.044% year to June 2015). Nonetheless, whatever we do there will always be risk in payments. It’s the combined actions of all players – card issuers, merchant acquirers and merchants which allow risk to be effectively managed.

At Visa Europe we believe these new standards must be flexible enough to ensure that new ways to pay remain convenient and secure for consumers in an evolving digital world. And that risk management remains fit-for-purpose to meet changing threats. We need to avoid possible one-size-fits-all regulation. This could result in overly prescriptive requirements, which may restrict innovation in payments and drive payments to less secure environments. Ultimately, this would be detrimental to the growth of the Digital Market.

But this is not just Visa Europe’s concern. On 10 February, with event partner CEPS, we brought together leading policy makers and regulators, retailers, banks, payment service providers and security experts in a room packed to capacity to discuss how to achieve authentication standards for the overall benefit of European citizens, businesses and commerce. Here are three highlights from the day – the need for risk-based authentication, retailers should be able to authenticate and the need to consider the broader regulatory context.

PSD2 mandates the European Banking Authority to develop standards to deliver strong authentication for all electronic payments. This states that every electronic payment in Europe has to be verified with 2 out of 3 of the following: something you have (i.e. a card), something you know (i.e. a PIN or passcode) or something you are (i.e. a biometric). While there is support for the concept of strong authentication, there is a strong view that this type of authentication. Will not be required on every occasion.  Sometimes, there are better ways to deliver the same results.

Continue reading at

Share this story, choose your platform!
Share on FacebookShare on LinkedInTweet about this on TwitterShare on Google+Pin on PinterestShare on RedditShare on VKEmail this to someonePrint this page

Leave a comment