Despite delay, merchants lack tools for PSD2 compliance
Even though security vendors and payments providers are telling merchants they are ready to provide compliance for transaction authorization in time for Europe's Payments Service Directive update (PSD2) deadline on Sept. 14, a significant challenge remains in the learning curve and technology needs for merchants.
The U.K.'s Financial Conduct Authority admitted as much in granting a migration period of 18 months without noncompliance fines for the Strong Customer Authentication provision of PSD2.
The grace period is based, in part, on the European Banking Authority's opinion, released less than three months ago, that 3D Secure 2.0 did not include data points related to biological or behavioral biometrics, and had a slower authentication process by a few seconds than what PSD2 was seeking for e-commerce.
The SCA migration period gives security providers and merchants time to establish where 3D Secure 2.0 will fit alongside other security measures.
It has caused providers touting 3D Secure 2.0 as a key authorization tool for the directive's SCA provision to also educate merchants that the migration period provides time to make sure 3DS, when combined with other security layers, carries all of the authorization tools SCA calls for with electronic payments.
The migration period essentially says the U.K. regulators won't be penalizing those not in total compliance with the SCA provision for more than a year after the official Sept. 14 deadline.
"The reason for the migration period is that the merchant community is far from ready to make the transition," said Ron van Wezel, a senior analyst with Aite Group based in the Netherlands. "The U.K. regulator has agreed to the migration period, and other countries have also indicated to refrain from a 'big bang' scenario for SCA, with a few exceptions such as Finland, which is already used to SCA standards."
3D Secure 2.0 is the solution the payments networks push for complying with SCA, but it has not been implemented by many as of yet, Van Wezel said. "That's why the delay is very important to avoid a disaster in customer experience when SCA is introduced."
The SCA essentially requires multifactor authentication for online payments, the initiation of an electronic payment transaction or any payment action taken through remote channels that represent fraud risks.
From that standpoint, SCA is not requiring methods the payments industry has not addressed in the past, or has tried to ingrain in the networks with regularity. It seeks authentication based on two or more elements that include something the user knows (passwords, security questions), something only the user possesses (mobile device, email address, etc.), and something the user is (biometrics).
But e-commerce merchants will need to update the payment networks that originate from their websites and apps in order to support the SCA required authentication methods.
As such, vendors are notifying clients about progress they have made to help ease PSD2 compliance.
Paris-based Worldline says its platform has already applied 3D Secure 2.0 under PSD2 requirements for online merchants in the European Union and Switzerland. Wordline, working directly with merchants, issuers and service providers, says it is among the first payments service providers and acquirers to implement 3D Secure 2.0 through its e-commerce platform.
"The discussion about strengthening layers of defense for transactions is never-ending," said Vincent Roland, CEO of Worldline. "You have to create more complexities to reduce the temptation for fraud and, while that is nothing new, it is new that we are trying to get all merchants on board with 3D Secure 2.0 for stronger authentication."
Because 3D Secure 2.0 covers the SCA provision of having at least two authentication methods, many merchants should find it will satisfy their PSD2 compliance needs. But it doesn't mean merchants won't want other security measures, Roland said.
"With the mobile phone becoming an easy tool for transactions, you have to move to other technologies and there are many things you can do for authentication," Roland added. "The number of tools for mobile is quite large, as you can go to biometrics with your smartphone, or create digital identities in some countries that operate like your bank card."
The Sept. 14 deadline is important for issuers, acquirers and service providers, as they have to be compliant with what they are offering clients.
"If you are servicing a lot of countries, you have to understand what each local market needs," Roland said. "In that regard, 3D Secure is a global tool, one that is in our company's roots. We feel good about going live with it in PSD2, but that doesn't mean that on day one everyone will be ready."
With the use of biometrics being an authentication method that European regulators want to see in the mix, companies providing that technology are singing the praises of both biometric identifiers like fingerprints or facial recognition, but also behavioral analytics.
Companies like BioCatch, BehavioSec, ID Analytics and Neuro-ID are pushing much deeper dives into consumer behavior to help differentiate good customers from bad customers initiating transactions.
"3D Secure 2.0 really has very little to say about biometrics in general and has no specific provision for gathering or analyzing behavioral biometric data," said Jordan Blake, vice president at BehavioSec.
"Having said that, there is room within the defined protocol and issuer-merchant-provider ecosystem to incorporate a wide range of biometric signals that would bolster authentication reliability," Blake said.
The "inherence" guideline of SCA includes behavioral biometrics in identifying a user by the way they type and swipe, and the angle at which they hold a device, among other things.
"In our view, behavioral biometrics is an important means of delivering inherence, not only because it can meet the EBA's guidelines, but because it can do so without adding friction to the user experience," Blake added.
Payment processor and technology provider Total System Services (TSYS) revealed this week it had developed a real-time authentication platform with various partners to deploy in Europe to comply with PSD2.
TSYS is partnering with Featurespace, which offers adaptive behavioral analytics; Emailage, which focuses on email risk assessment and online fraud prevention; InAuth, a digital device intelligence provider; and digital identity authentication network Payfone.
It's another example of authentication and fraud prevention utilizing machine learning to help card issuers make cross-border payments more secure.
Atlanta-based 2Checkout also announced its API-driven platform will comply with PSD2 to help e-commerce merchants selling digital products and recurring services. The company also touts 3D Secure 2.0 as a valuable tool because of its advanced data fields and customer experience improvements over the first version.
2Checkout says it will "correctly apply exemptions" in areas in which PSD2 regulations won't always have to come into play, such as some recurring payments, low-value and low-risk transactions, as well as those between trusted beneficiaries.
As was the case with most regulatory deadlines — from the EMV migration liability shift in the U.S., to the General Data Protection Regulation in Europe — the conversion to full compliance with PSD2 will take some time.
"It is a lot of work," Worldline's Roland said. "Technically speaking, you have to adopt, deploy and make authentication choices. The more global you are, the more complex it is."