Strong authentication enforced by PSD2 – opportunity or conversion killer?

As everybody interested in payments and banking already know EU Payment services Directive, or popularly PSD2, has stirred a lot of attention of many parties even before enforcement, planned next year (2018).

That is because it could transform the payments industry, affecting everything from the way we pay online, to what information we see when making a payment. The purpose of Directive is to increase competition in – an already competitive payments industry, bring into scope new types of payment services, enhance customer protection and security. Moreover, idea is to improve the level playing field for payment service providers, to make payments safer and more secure, to protect consumers and to liberalize and encourage lower prices for payments. And all this regulation is for all electronic payments and not just for online payments.

In practical sense this means banks will need to open thru standardized interface (API) to, so called, Payment Initiation Service Providers (PISPs) meaning that you will be able to make payments outside of, traditionally exclusively and primarily possible by, your bank’s mobile or Internet banking application. This in effect means you could have just one app from which you could make payments from your multiple aggregated bank accounts.

So basically, a new start-up company, as new market player, could make new advanced payments app that could be become your one stop payments and banking app, making your previously monopolized mobile banking app much more replaceable. But what about security, you may ask, can you trust more your bank’s app or new start-up’s app? For this reason, European Banking Authority (EBA) has published (final draft) detailed document in February 2017 known as Regulatory Technical Standards (RTS). More specifically RTS specifies Common and Secure Open Standards of Communication and more importantly Strong Customer Authentication (SCA) as a way third-party payment service providers must comply ensuring that payments across the EU are secure, easy and efficient.

What specifies Strong Customer Authentication (SCA)?

The scope of SCA’s is when payer accesses it’s payment account online, initiates an electronic payment transaction, carries out any action through a remote channel (which may imply a risk of payment fraud) and finally where exemptions from these apply. SCA is not enforced when payee initiates payment like in, say, case of recurring (subscription) payments.

In order to understand SCA fully it is necessary to define key parties involved, and these are:

  • Account Servicing Payment Service Providers (ASPSP) – consumer’s bank, current issuer,
  • Payment Initiation Service provider (PISP) – initiates the payment process, seller (merchant) or PSP,
  • Account Information Service Provider (AISP) – consolidates customer’s “cross-bank” data.

Now question arises on which side authentication is enforced? The answer is not straightforward, but by default it is consumer’s bank but also the bank may choose to put it on side of PISP.

Authentication always generates authentication code and this scheme require at least two, out of three, factors to be fulfilled:

  • something you know,
  • something you have and
  • something you are.

This means that plain username/password right in the beginning is failing short.

SCA – opportunity or payment conversion killer?

While final RTS on Strong Customer Authentication (SCA) seems to cover a lot of ground, ultimately leaves many unanswered questions. This means the actual implementation of payment may differ.

From user standpoint this largely depends on user-experience (UX) a user will have, and aside from liberalization of payments market, improving UX is original intention of the Directive. From banking standpoint, it depends what level and method of authentication security bank already have and how this can be translated to SCA norm. And finally, from PSP standpoint it all depends how tight and seamless integration with bank will be.

For example, in scenario where bank already has in place mobile soft token solution this is nicely integrated with other involved parties this could lead in really snap and express payment with user required to enter only short PIN. On some other scenarios, and there may be hundreds of combinations, things could be much less than ideal and much more cumbersome.

In the end, PSD2 and SCA is nice direction for the future of the payments but adoption and popularity of it will largely depend on – the user and experience. And this will, again, depend on implementation which, as of now, is still just technical document but only in coming year will become reality.