A new European directive, called the Second Payment Services Directive (PSD2) is set to “revolutionise” banking through open data standards across the Union. Whilst the details of how the banking revolution will transpire are still debated in EU parliaments, a revolution of systems was delineated by the EU Commission on March 13, 2018.
The supplementary Regulatory Technical Standards (RTS) to PSD2 aim to enhance security of virtual payments through Secure Customer Authentication (SCA). This type of authentication will verify a customer’s identity using two of three components.
“Something the user knows, like a password, something the user has, like a debit card, and something the user is,” Dr. Steven Murdoch, a Royal Society University Research Fellow in the Information Security Research Group of the Department of Computer Science at University College London and Security Architect at OneSpan Innovation Centre at Cambridge, explained to WikiTribune.
“In the real world that isn’t a problem; chip and pin are two factors. In the online world, you will need something more than a static password, a moving password or a biometric measurement,” said James Thorpe, Head of Communications for Mastercard UK and Ireland.
Mastercard estimates that currently, only 1-2% of online transactions require cardholder authentication. From September 14, 2019, when PSD2 comes into force, the number will rise to 25%, Mastercard estimates. The exemptions to SCA include transactions of low value,
Linking the physical to the digital
The added layers of authentication will “clutter and create friction in the payment” for the system behind it, according to Thorpe. To this end, Mastercard has set up Identity Check, a biometric solution banks must at least offer, but not require, if they want to continue using Mastercard cards. For example, a payer can take a picture of themselves to complete a transaction.
“We are talking about it now because we want banks to start thinking about it as soon as possible so that we have a seamless transition. We have to be up to speed so that the medicine is not too painful for the patient,” Thorpe continued.
Part of the medicine payment providers and customers alike are keen to take is the “something you are” factor of authentication. This factor takes a measured signal of your person into account; in technical terms this is called biometrics. A study conducted by the University of Oxford in collaboration with Mastercard, found that 93% of customers and 92% of industry professionals prefer biometrics to passwords.
On the one hand, customers find it difficult to remember a myriad of passwords. On the other hand, the industry believes that a simplified authentication process will reduce cart abandonment and simplify shopping. Both parties believe biometrics will reduce fraud rates -83% of users and 76% of industry professionals.
“Initially, the biometrics of SCA were referring to iris scans, fingertip sensors etc. As technologies advanced, this has come to mean behavioural biometrics,” Dr. Murdoch explained. This type of measurement takes into account a payer’s behaviour, such as transaction patterns or keyboard strokes, and creates the digital profile of a unique user based on their behaviour instead of their physical attributes.
The allure of using behaviour over physical characteristics is simple; not everyone can afford a smartphone with a fingertip sensor. “This inability to enrol not only limits SCA, but could be considered discrimination,” Dr. Murdoch told WikiTribune. “Banks will have to offer a number of solutions,” Thorpe agreed.
Dr. Murdoch emphasised “How behavioural biometrics are implemented depends on the European Banking Authority (EBA),” the European body responsible for overseeing PSD2, and continued. “Almost an inevitable consequence of behavioural biometrics is a lack of privacy. The measurements might link people’s activities in a way that they do not want.” According to Oxford University, 57% of industry professionals believe that as biometrics gain popularity, privacy concerns will become more pronounced.
The wide spread of SCA is contributes to the security of transactions through consistency, meaning payment providers are further incentivized to use it. The ore transactions are authenticated under SCA, the more likely it is that a fraudulent payment will be flagged.
The technical aspects of SCA are not perfect in and of themselves. “There is always a danger of false acceptance and false rejection,” Dr. Lina Dencik, Director of the Data Justice Lab at Cardiff University emphasised. Companies which claim to use 500 different measurements of behavioural biometrics do not necessarily offer more robust security. Every added measurement comes with a possibility of statistical error,” Murdoch explained.
Errors are part of the deal, and customer awareness could go some way in reducing them by educating consumers as to how to use SCA. Research has shown that consumers often do not follow proscribed behaviour. Demands from payment providers are lacking in the RTS and it is unclear if the EBA plans to make them.
If a payer fails to follow the correct steps to SCA, or is misled by a fraudster, they can be liable for gross negligence. “Anyone can fall victim to this,” according to Dr. Murdoch. In such cases, where the liability is shifted from consumers to payment providers, it is up to “competent authorities” to resolve the dispute.
“Not everyone has the resources to solve such cases legally, nor do they necessarily have enough trust in the system to do so. Historically, marginalised groups have been reluctant to take such actions,” Dr. Dencik said. “It often goes unsaid, but more often than not there is a close relationship between banks and regulators,” Dr. Murdoch pointed out.
At the same time, the industry recognises that public image will be a determining factor in the adoption of biometrics, 75% identify reputational damage as the main issue.