The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

Charles Keenan

Charles Keenan

Charles Keenan has written about payments since joining the American Banker as a staff reporter in 1997, a time when automated teller machines were appearing just about everywhere but people's living rooms thanks to the relaxation of surcharging rules.

More Info

Europe's move to set up stricter requirements for authenticating online payments puts it ahead of the United States regulatory-wise, yet American banks, vendors and merchants aren't off the hook. In fact, the potential for fraud migration should put all parties on red alert.

In Europe, bank card and payments providers are required to meet the new authentication standards by Sept. 14, 2019, as part of the second Payment Services Directive, or 'PSD2. The regulatory framework is an extensive directive that could revolutionize the payments industry, requiring banks to share data with third-party providers. The directive also spells out new authentication requirements for banks and payment providers.

Justin Griggs headshot inside navy outlined speaker box.

The TSYS Take:
Read Justin Griggs' point of view on PSD2

As PSD2 compliance ramps up there, expect online fraudsters to migrate to places without such strict requirements, such as – you guessed it – the United States. "It will put some additional pressure to introduce new measures in the U.S. market," says Ron van Wezel, a senior analyst at Aite Group.

You may think this all sounds familiar, and you'd be right. Think of how criminals shifted their focus to U.S. merchants when EMV was adopted in Europe more than a decade ago. That led to higher counterfeit fraud rates with cards in the United States. Yet those rates plummeted once merchants enabled their terminals to accept chip cards. For example, counterfeit fraud fell among these merchants for a 30-month period ending in March 2018, according to Visa.

Just as fraudsters found it tough to copy cards in Europe after the introduction of EMV, they'll face a tougher challenge getting away with online theft when they face more sophisticated authentication techniques. As part of PSD2, card issuers and payment providers in Europe will be required to use Strong Customer Authentication (SCA). SCA is a new way of authenticating online payments, which will require the transactions to be verified using two of the following three methods:

  1. Knowledge: This is something only the user knows, such as a password or PIN. It does not include a card number, CVV or expiration date.
  2. Possession: This is something only the customer possesses, such as a mobile phone, hardware token or other device.
  3. Inherence: This is something that the customer is, drawing on technology with biometrics such as fingerprinting, iris scans or facial recognition. Keystroke analysis now also qualifies.

Customer friction focus

Yet with increasing authentication levels, what worries merchants most is not fraud, but customer friction, experts note. If a transaction is declined for any reason — such as not being able to authenticate the user — then rejections can lead to lost sales and customer attrition.

"False positives will kill the customer relationship," van Wezel says. "If you are in a competitive market, and you have a loyal customer who is refused for a legitimate transaction, that customer will go somewhere else and might not ever return."

Strong Customer Authentication is a new way of authenticating online payments, requiring transactions to be verified using two of the following three methods: 1) Knowledge 2) Possession 3) Inherence

With authentication, the challenge will be to keep friction low while keeping fraud rates down. That's why — regardless of whether U.S. regulators turn up the heat — banks, merchants and vendors across the country will need to increasingly turn to stronger authentication methods, such as biometrics and machine learning — with the primary motivating factor being the fear of losing customers to friction.

"Your favorite merchants will start adopting some of these nuanced and innovative passive biometric types of protections to essentially cut down on fraud," says Patrick Reemts, vice president, originations and authentication at TSYS. "But they will do it mostly to make sure that people can click to purchase without any friction. That's the Holy Grail."

Many banks have started using voice and face recognition, but more is needed, says Ant Allan, research vice president at Gartner Inc. "[Users will be] interacting with the phone in a familiar way," he says. "[They] are speaking into the phone or taking a selfie, [which is] not particularly unusual."

Don't wait for regulation

Providers need to be working on this now, and not wait for any regulatory decrees in the United States. By the end of 2020, 90 percent of large enterprises and 60 percent of mid-size ones will employ rich analytics and adaptive authentication techniques, according to Gartner. By the end of 2021, authentication vendors lacking machine-learning capabilities will lose market share.

To resolve the tension between the need for robust and resilient identity and access management, security and risk management leaders should openly embrace innovation in the market, emulating or using technology from what Allan calls "cool vendors." He points to AimBrain, which uses deep learning — with evolutionary algorithms that 'learn' as they go — in combination with face and voice recognition.

Another innovator is Futurae, which offers a zero-touch authentication mode by using ambient sound and ultrasound to confirm the proximity of customers' phones to their PCs or tablets. Similarly, UnifyID provides an 'always-on' monitoring of human activity through mobile devices, incorporating handling dynamics and gait, based on the phone's motion sensors and other signals.

All of these modern approaches will help providers negotiate the delicate balance between fraud control and friction. Just don't wait for a PSD2-like directive to be implemented in the United States. The market leaders will be proactive and better prepared to tackle future obstacles.

The statements and opinions of the writer do not necessarily reflect those of TSYS.

Other Articles by Charles

Charles Keenan

Charles Keenan has written about payments since joining the American Banker as a staff reporter in 1997, a time when automated teller machines were appearing just about everywhere but people’s living rooms thanks to the relaxation of surcharging rules.

His work at the American Banker included writing about credit and debit cards, merchant processing, and bank stocks. He later freelanced for the Banker and industry publications such as Banking Strategies, Bank Director, Community Banker, and U.S. Banker. He also writes about investing, insurance and health care, and is based in Los Angeles.

Share this story via email or social networks