Contactless pay's only halfway to PSD2 compliance

Register now

The deadline hanging over Europe finally arrived. No, not Brexit, but PSD2’s Sept. 14 mandate for the implementation of strong customer authentication (SCA) has already passed, except for some extensions.

The European law and its implementation by banks has stirred a lot of discussion across the continent — especially in the U.K.

Already leaders in the open banking game, it's unsurprising that the British banking world has raced ahead in implementing — and commenting on — enhancements to their authentication methods.

SCA outlines that strong authentication (a secure way to validate it’s you making the payment) needs at least two of the following: something you know (e.g., your PIN), something you have (e.g. your card), something you are (e.g. biometric ID).

As contactless card payments only have one of these elements, the new rules now mean banks are required to request a PIN is entered after every five contactless payments, or once your payments have totaled £135 (US$170).

Challenger banks in the U.K. such as Revolut and Starling have been especially proactive in their communications on SCA. The message of making contactless more secure is very pertinent in the U.K., a nation with heavy contactless usage where the fear of fraud remains high.

Undoubtedly, SCA mandates will improve security if your card “fell into the wrong hands.” But SCA will also increase friction in some cases. For example, with increased PIN entry requests, contactless may be more secure, but it’s also less convenient.

Revolut has already implemented a method to help combat this, sending mobile push notifications just before you’ll need to authenticate again and enabling consumers to reset their payment limit with fingerprint or Face ID in-app. But that’s not the only way biometrics can help.

Biometric payment cards offer the perfect answer to SCA requirements. By adding strong authentication to the "tap," consumers can benefit from greater security without harming the user experience of contactless or slowing the transaction-processing time for merchants.

With the U.K.'s successful mobile-only challenger banks already utilizing biometrics to authenticate in-app, adding biometrics to payment cards brings authentication harmony across form factors. And in recent weeks, the biometric payment card has garnered even more traction in the U.K. market.

Just a few weeks ago, the BBC got its hands on major U.K. bank NatWest’s biometric payment card, currently in the pilot stage. Journalist Dan Simmons spoke with our partners at NatWest, RBS and Gemalto, to learn more about the details.

The segment went some way to dispel some common myths, explore the benefits and explain in simple terms how it all actually works.

Georgina Bulkeley, director of strategy and innovation at RBS and NatWest, went about “shattering television dreams” when probed about the spoof-ability of the new payment cards. An imprint, a stolen thumbprint from a glass, a high-res photograph … able to fool a biometric card? Not quite.

Smart algorithms capture a mathematical representation of your fingerprint — not an image — so high-resolution photographs can’t trick modern sensors. Advanced security features have also relegated the notion of cracking biometric systems with sticky tape or gummy bear imprints to the realm of sci-fi fiction.

Gemalto’s Howard Berg also added that the smart new sensors "learn" when your fingerprint has a slight variation such as a micro-scratch, to minimize false rejection rates.

“Consumers want experiences to be simple and easy,” Bulkeley added. Saying goodbye to the PIN and fear of contactless card fraud at the same time, biometric payment cards really make sense.

Another crucial factor, and something demanded by banks and consumers, is the opportunity to remove the payment cap. NatWest and RBS cited lifting the current U.K. £30 contactless spending limit as a primary motivation for trialing the technology, which aligns with the opinions of a number of banks.

Simmons took the card for a spin, now able to spend up to £100 a tap, with this likely to be “limitless” by the time it gets to market.

Viewers saw Dan enroll his fingerprint onto the card with a simple self-enrollment device at home. Over 79% of banks think home enrollment essential to success but agree the process must be a frictionless to get consumers on board from the get-go.

So, as PSD2 and SCA hit the headlines in the U.K. and other European markets, it's clear banks have worked hard to bring additional security to contactless. But with banks like NatWest and RBS, it’s promising to see some are already taking this a step further: limiting the disruption of increased security with biometric trust.

For reprint and licensing requests for this article, click here.
Authentication Risk Payment fraud Contactless payments ISO and agent