Episode 100 – Strong Customer Authentication – Russ Jones, Glenbrook Partners
For a nanosecond, about seven years ago, I thought the payments industry was entering a steady state where change, while sure to be accelerated by technology, was going to settle down to the familiar sedate pace the payments industry had taken for decades.
Hah! Payments industry evolution has leapt forward since then based on, yes, technology, but also new rules, regulations, business models, and changes in attitude toward how money moves, security, and privacy.
One major trend I didn’t anticipate then was the global phenomenon of faster payments, now in active implementation or operation in some 40 countries around the world. Another, of course, is cryptocurrencies but I’ll leave that one alone for now.
The emergence of faster payments is a function of new technology with new transaction switching infrastructure and (mostly) a common messaging standard in the form of ISO 20022. But it’s also a function of rules and market response.
Even in the United States, a nation whose payments strategy is largely set by competitive forces, the central bank has had significant influence in launching new settlement capability. (And now, the Fed is planning to build its own version).
Europe and India are standouts when it comes to government guidance and strategy setting for banking and payments systems.
The European Union’s active role in evolving payments policy is recently expressed in the second Payment Services Directive (PSD2).
PSD2 has chosen to address one of the most vexing digital security challenges: strong customer authentication or SCA. Article 4(30) of the directive defines SCA as:
“an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”
For anyone familiar with authentication requirements, this is hardly a novel approach. That said, as far as the payments ecosystem goes, however, this is a sea change.
This is also a necessary change. Faster payment systems, where the sender pushes the payment to the recipient, make the sender’s bank responsible for authenticating its accountholders. The accountholder has to prove to her bank that she has the right to access her own account and to initiate a payment.
Unfortunately, phishing and malware are attacks that make account takeover easier than ever. There’s been an uptick in authorized push payment fraud in the U.K. due to ATO.
Therefore, enforcement of multi-factor authentication is seen as a necessary response.
Point of sale transactions already meet the SCA requirement. The card is something you have; The PIN is something you know. That’s enough to meet the SCA requirement. Oh, right, in the U.S., we don’t put PINs on credit cards. They do in Europe. We’re going to need biometrics in the U.S. (something you are).
PDS2’s SCA mandate requires that multi-factor authentication be used whenever a user logs into her bank account or makes an eCommerce payment. Whenever payment risk is a possibility, SCA has to be used (there are plenty of exemptions but that doesn’t change the point).
Every stakeholder—every bank, every eCommerce site—must comply by doing something they have not done before.
That means a lot of work.
In this Payments on Fire® episode (Episode 100!), I speak with Russ Jones, Glenbrook’s partner in charge of our Payments Education Program and a preeminently insightful payments consultant. Russ takes us through SCA, its relationship to other standards, and the impact of its now somewhat delayed implementation.
Russ concludes the conversation with the rather chilling observation that history is about to repeat itself. The U.S. will experience in the digital arena what the U.S. experienced at the physical point of sale.
When EMV chip cards were mandated in Europe, card fraud at the POS and the ATM migrated to the U.S. Reliant on the static data of the mag stripe, the U.S. became a global magnet for magstripe card fraud.
Once SCA becomes broadly implemented in the EU, in 2021 and beyond, online fraudsters will redouble their already considerable attacks on U.S. financial institutions, tech providers, and merchants. While security tools are more common than ever—FIDO capable smartphones are one example—the U.S. lacks a single entity to mandate and enforce multi-factor authentication in payments.