The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

The Ripple Effect: What PSD2 Means for Authentication Standards in the United States

Charles Keenan

Charles Keenan

Charles Keenan has written about payments since joining the American Banker as a staff reporter in 1997, a time when automated teller machines were appearing just about everywhere but people's living rooms thanks to the relaxation of surcharging rules.

More Info

Europe's move to set up stricter requirements for authenticating online payments puts it ahead of the United States regulatory-wise, yet American banks, vendors and merchants aren't off the hook. In fact, the potential for fraud migration should put all parties on red alert.

In Europe, bank card and payments providers are required to meet the new authentication standards by Sept. 14, 2019, as part of the second Payment Services Directive, or PSD2. The regulatory framework is an extensive directive that could revolutionize the payments industry, requiring banks to share data with third-party providers. The directive also spells out new authentication requirements for banks and payment providers.

Justin Griggs headshot inside navy outlined speaker box.

The TSYS Take:
Read Justin Griggs' point of view on PSD2

As PSD2 compliance ramps up there, expect online fraudsters to migrate to places without such strict requirements, such as – you guessed it – the United States. "It will put some additional pressure to introduce new measures in the U.S. market," says Ron van Wezel, a senior analyst at Aite Group.

You may think this all sounds familiar, and you'd be right. Think of how criminals shifted their focus to U.S. merchants when EMV was adopted in Europe more than a decade ago. That led to higher counterfeit fraud rates with cards in the United States. Yet those rates plummeted once merchants enabled their terminals to accept chip cards. For example, counterfeit fraud fell among these merchants for a 30-month period ending in March 2018, according to Visa.

Just as fraudsters found it tough to copy cards in Europe after the introduction of EMV, they'll face a tougher challenge getting away with online theft when they face more sophisticated authentication techniques. As part of PSD2, card issuers and payment providers in Europe will be required to use Strong Customer Authentication (SCA). SCA is a new way of authenticating online payments, which will require the transactions to be verified using two of the following three methods:

  1. Knowledge: This is something only the user knows, such as a password or PIN. It does not include a card number, CVV or expiration date.
  2. Possession: This is something only the customer possesses, such as a mobile phone, hardware token or other device.
  3. Inherence: This is something that the customer is, drawing on technology with biometrics such as fingerprinting, iris scans or facial recognition. Keystroke analysis now also qualifies.

Customer friction focus

Yet with increasing authentication levels, what worries merchants most is not fraud, but customer friction, experts note. If a transaction is declined for any reason — such as not being able to authenticate the user — then rejections can lead to lost sales and customer attrition.

"False positives will kill the customer relationship," van Wezel says. "If you are in a competitive market, and you have a loyal customer who is refused for a legitimate transaction, that customer will go somewhere else and might not ever return."

Strong Customer Authentication is a new way of authenticating online payments, requiring transactions to be verified using two of the following three methods: 1) Knowledge 2) Possession 3) Inherence

With authentication, the challenge will be to keep friction low while keeping fraud rates down. That's why — regardless of whether U.S. regulators turn up the heat — banks, merchants and vendors across the country will need to increasingly turn to stronger authentication methods, such as biometrics and machine learning — with the primary motivating factor being the fear of losing customers to friction.

"Your favorite merchants will start adopting some of these nuanced and innovative passive biometric types of protections to essentially cut down on fraud," says Patrick Reemts, vice president, originations and authentication at TSYS. "But they will do it mostly to make sure that people can click to purchase without any friction. That's the Holy Grail."

Many banks have started using voice and face recognition, but more is needed, says Ant Allan, research vice president at Gartner Inc. "[Users will be] interacting with the phone in a familiar way," he says. "[They] are speaking into the phone or taking a selfie, [which is] not particularly unusual."

Don't wait for regulation

Providers need to be working on this now, and not wait for any regulatory decrees in the United States. By the end of 2020, 90 percent of large enterprises and 60 percent of mid-size ones will employ rich analytics and adaptive authentication techniques, according to Gartner. By the end of 2021, authentication vendors lacking machine-learning capabilities will lose market share.

To resolve the tension between the need for robust and resilient identity and access management, security and risk management, leaders should openly embrace innovation in the market, emulating or using technology from what Allan calls "cool vendors." He points to AimBrain, which uses deep learning — with evolutionary algorithms that 'learn' as they go — in combination with face and voice recognition.

Another innovator is Futurae, which offers a zero-touch authentication mode by using ambient sound and ultrasound to confirm the proximity of customers' phones to their PCs or tablets. Similarly, UnifyID provides an 'always-on' monitoring of human activity through mobile devices, incorporating handling dynamics and gait, based on the phone's motion sensors and other signals.

All of these modern approaches will help providers negotiate the delicate balance between fraud control and friction. Just don't wait for a PSD2-like directive to be implemented in the United States. The market leaders will be proactive and better prepared to tackle future obstacles.

The statements and opinions of the writer do not necessarily reflect those of TSYS.

Other Articles by Charles

Charles Keenan

Charles Keenan has written about payments since joining the American Banker as a staff reporter in 1997, a time when automated teller machines were appearing just about everywhere but people’s living rooms thanks to the relaxation of surcharging rules.

His work at the American Banker included writing about credit and debit cards, merchant processing, and bank stocks. He later freelanced for the Banker and industry publications such as Banking Strategies, Bank Director, Community Banker, and U.S. Banker. He also writes about investing, insurance and health care, and is based in Los Angeles.

Share this story via email or social networks

  1. You Know You've Been Part of the Payments Industry Too Long When…

    Tue Oct 30, 2018 09:00 AM

    You Know You've Been Part of the Payments Industry Too Long When...

    Categories: Articles and Blogs
  2. Winning at the point of sale in the convenience sector

    Mon Mar 18, 2019 12:02 AM

    Winning at the point of sale in the convenience sector

    It’s quite possible that there has never been a more pivotal time in the convenience-store industry. With the obvious exception of e-commerce, the convenience-store and club sectors are the only two other retail channels expected to grow over the next three years – and not nearly as briskly as e-commerce.more...

    Categories: Articles and Blogs
  3. Will Globally Popular Regulatory Sandboxes Ever Crack the U.S. Payments Market?

    Tue Jan 29, 2019 08:59 AM

    Will Globally Popular Regulatory Sandboxes Ever Crack the U.S. Payments Market?

    Categories: Articles and Blogs
  4. Why Your Business Needs to Accept Chip Cards

    Wed Mar 6, 2019 12:06 AM

    Why Your Business Needs to Accept Chip Cards

    It feels like forever ago that the EMV® Liability Switch took place on October 1, 2017. But even now, many businesses have not switched over to taking exclusively EMV (colloquially known as chip cards). more...

    Categories: Articles and Blogs
  5. Why the Payments Industry Needs to Hire More Veterans

    Tue Jul 2, 2019 09:00 AM

    Why the Payments Industry Needs to Hire More Veterans

    Tags: purdy
    Categories: Articles and Blogs
  6. Why It Pays to Be a Payment Facilitator

    Mon Jun 3, 2019 01:02 AM

    Why It Pays to Be a Payment Facilitator

    Payment facilitators. You already know of them and what they do, even if you’re not familiar with the term. In fact, PayPal®—which might be described as the original payment facilitator—is sometimes referred to as a kind of “Super Facilitator,” with Square® being a more recent player.   more...

    Categories: Articles and Blogs
  7. Why Isn't Mobile Pay Usage Spreading Faster?

    Fri Apr 13, 2018 05:52 PM

    Why Isn't Mobile Pay Usage Spreading Faster?

    Categories: Articles and Blogs
  8. Why is Fintech So Focused on New Payment Rails?

    Fri Apr 13, 2018 05:36 PM

    Why is Fintech So Focused on New Payment Rails?

    Categories: Articles and Blogs