The roll-out of secure customer authentication has once more been delayed, this time as a result of the COVID-19 pandemic. We took the opportunity to bring G+D’s Andy Ramsden together with Vendorcom’s Paul Rodgers to discuss how the time might be used to refine the scheme, and asked Gabrielle Bugat about G+D’s wider role in payments development.
Strong customer authentication (SCA), part and parcel of the revised Payment Services Directive (PSD2), is a new European regulatory requirement that’s aimed at reducing fraud and making online payments more secure.
It’s a crucial moment for the payments industry – from banks to merchants and all the layers in between – because, to accept payments and meet SCA requirements, merchants will need to build additional authentication into their checkout flows. SCA will require authentication to use at least two of three stated elements: something the customer knows (such as a password or PIN), something the customer has (for example, a phone or hardware token), and something the customer is (a fingerprint or facial recognition).
But the new regime has stuttered into existence. Originally slated for introduction in September 2019, several countries have delayed or phased implementation. Now it’s been pushed back again in the UK, from March 2021 to September 2021, as a result of the chaos unleashed by the COVID-19 outbreak. A statement issued by the Financial Conduct Authority (FCA) in April said the additional six months to implement SCA for e-commerce will ‘minimise potential disruption to consumers and merchants’. There have been similar calls for a postponement in Europe.
Doing the right thing versus doing it right
Firms are still required to take all necessary steps to comply with the revised plan and follow the critical path to avoid the risk of enforcement action. But UK Finance, as a key coordinator for the industry, will now spend time further discussing it with all stakeholders before agreeing the way forward with the FCA. And, despite it having been
on the cards for some time, there needs to be a lot of very detailed discussion, says Andy Ramsden, head of global solution sales for financial solutions at payments technology giant Giesecke+Devrient (G+D).
“It could go badly pear-shaped, if it’s not done correctly,” he says. “I still see some problems around how you can interpret certain things in the regulation. We talk to banks on a daily basis, some of which think, for example, that using the SMS channel is a tick in the box that will get them through PSD2 compliance. Then you talk to other banks that are very clear that this is actually a weakness, that it’s far better served with biometrics. Because banks are interpreting it in many different ways, this is causing all sorts of problems. There’s a real grey area as to what is compliant, and what’s not.”
Paul Rodgers, chairman of trade association Vendorcom, which was established in 2003 to bring together all the key players from across the European payments ecosystem, agrees.
“I think the real challenge we have here is that we’ve had a banking authority legislate in an area that is not purely within the banking domain,” he says. “The multi-layered, multi-faceted, highly-distributed ecosystem that is the payments world means that different people will look at this in different ways.”
Many will see the delay as a welcome relief; additional time to get ‘SCA-ready’ – it’s estimated that more than 70 per cent of payments processed today still aren’t compliant with the specifications. But both Ramsden and Rodgers believe it’s the regulators that need to use the time to avoid an approach that could, in its current form, set payments, and particularly ecommerce, back several decades. No one doubts that SCA is a good idea, particularly given the recent acceleration towards e-commerce and the commensurate rise in fraud. But if abandoned carts are the result of frustrated consumers clambering over digital security assault courses, then nobody benefits.
Food for thought
A 2015 Dashlane analysis of data from more than 20,000 users found that each, on average, has 90 online accounts. And here’s another fun fact. A Study of Authentication in Daily Life was conducted in the US by Dartmouth College, HP Labs and Disney Research on behalf of USENIX, the advanced computing systems association, which tracked a cohort of 26 people to see how many times a day they authenticated themselves across every conceivable device. And they found it to be, on average, 45.
What these stats illustrate is that proving who we are is as unavoidable as breathing and just as essential in the digital age. But doing it securely, if it’s not to feel as though we’re putting on an oxygen mask every time we make a payment, could be a real challenge.
As Ramsden is quick to point out: “Many of these problems never used to exist when you met face-to-face. But now, with so much interaction and transaction forced from a position of distance and isolation, it’s been thrown into sharp relief.
“Most of the devices we use have to be treated as not trusted. When I’m accessing my account through my app, the bank doesn’t know where I am, it doesn’t know what device I’m accessing it from, in some cases. And with all these opportunities that we, as customers, now have, the criminals have even more.
So SCA came about to make sure that we can have the security we need, at the right time, and, if it’s done properly, to make it simple for customers. And that’s the trick: anybody can apply the security, but it’s got to be usable, and we’re talking about using it many times a day – checking bank balances, paying someone. We’re constantly authenticating ourselves.”
Founded in 1852, G+D is easily one of the longest-established players in the payments industry. It offers both physical and digital security technologies that protect millions of people every day, as they pay by cash, card or smartphone, interact with their cars or use their identity documents when travelling. As a company, it has led development in the area of biometric cards and, among several biometric partnership projects it’s currently involved in, is a pilot announced last year with Crédit Agricole to introduce the first of such payment cards in France. The cards are manufactured and customised by G+D Mobile Security, with NXP Semiconductors providing the all-in-one electronic module and embedded software, and Mastercard supplying biometric specifications and support.
A call for collaboration and standardisation
Both Ramsden and Rodgers are clear that it’s not just the act of authentication and how frictionless and secure it is that needs to be worked on, but also the liability that attaches to it in a complex value chain.
“You’ve multiple players in that value chain,” explains Ramsden. “You’ve the card or technology issuer, the customer, the merchant, the people in the background, the payment service providers (PSPs) and then all the people running the financial value chain. Everyone has a role to play.
“From an issuer perspective, they want to protect their assets because potentially they’re liable, but the customer also has a responsibility and if they don’t protect their password, then potentially they’re liable as well. It’s a mixed, muddled market. When you then layer PSD2 on top of that and all the complexities, I think it becomes even more difficult.
“The consequence could be that everyone wants to apply their own individual security and you end up with a botched, monolithic system that becomes completely unusable.
“When I access one bank, I need to use a one-time password dongle and I press a button and enter six digits, whereas with this other bank, I need to receive an SMS, and with the next bank I use my user ID and password. It becomes a bit of a nightmare for me, as a user.”
Rodgers strongly advocates collaboration to ensure the best delivery. But there’s a problem: such collaboration is currently barred under competition rules.
“Consistency is really important, and how the banks work together to roll this out is absolutely key. But that ability for the banks to work collaboratively is actually countered by most regulators,” explains Rodgers. “It’s only by establishing a common foundation, that is easy to communicate, and easily implementable, that we’re going to get that baseline service right.”
If that hurdle is not addressed, when SCA finally does go live, both men believe there is huge scope for consumer confusion. This is exactly why technology companies and fintechs are now competing to find alternatives that avoid the need for a clunky user interfaces –biometrics tied to banks that, in effect, act as gatekeepers of your identity being one of them.
“SCA is going to apply unnecessary levels of friction to the ecosystem, and that will create a negative customer experience until we can get a common, ubiquitous, foundational approach,” says Rodgers.
“That’s what some of the SCA programmes around Europe are trying to do, but there’s little or no consistency across the different countries. So that has another implication; for certain merchant sectors, particularly hospitality, travel, and general crossborder trade, the digital single market from a European ecommerce perspective has virtually been killed by the inconsistency that has been applied, and the lack of real leadership that the European Banking Authority has shown.”
Ramsden is keen to look for the positives.
“I really do think there’s lots of great stuff coming out of PSD2, which helps with application programming interfaces (APIs), open banking, and the promotion of biometrics,” he says.
“And, being positive about this, especially for merchants, one of the big issues we all have is the friction of making a payment through our mobile or online, so we’re seeing tokenisation, not just for issuers that are tokenising payment credentials for things like Apple Pay and Fitbit Pay, but also merchants, tokenising card-on-files.
“There have been some real horror stories about merchants that have had their databases hacked, and credit card details stolen. If you tokenise that, you take away much of the risk for the merchant.
“Then we have EMVCo doing some great work with the schemes around Secure Remote Commerce, or in-app payments. When I browse through an app and I want to make a purchase, it takes me through to my banking app to make the payment. I don’t want to store my credentials in a taxi app or a coffee shop app, forget that I ever loaded it there and three years later find their database has been hacked. I’ve got a bank that I trust, so let me store my details there and maybe use biometrics to authenticate myself for the SCA process. Make it as easy as that. All these types of solutions are really starting to happen now.
“But I also echo the points Paul makes. We need consistency, too, because, at the moment, there are some great solutions but they’re ad hoc, and that’s not good.
“I also agreed that we need collaboration. I worked in the mobile operator space when near-field communication kicked off. We failed horrifically to collaborate, because we were used to competing. And, lo and behold, Apple, Google and Samsung came in and ate the cake off the table.
“Banks need to be careful, because if they don’t do something then, once again, it’ll be Google, Apple and Amazon who come in, because they’re already delivering great experiences. There’s no reason banks and merchants can’t do the same, but they need to get their act together. I say ‘they’, I mean we’re all involved in it, as an industry.
“So, to recap, if you want SCA to be applicable to mass consumerism, it needs to be everywhere, and it needs to be consistent. That approach worked well with chip and PIN: we all do the same thing. Irrespective of whose card it is, you put your card in, type your four digits and take your card out.
“That’s where we need to get to with SCA, and we’re not there yet.”
Q&A with Gabrielle Bugat, Head of Division for Financial Solutions at Giesecke+Devrient
The Fintech Magazine: Last year, G+D announced it was launching a biometric card trial with Crédit Agricole. Can you tell us more about that?
Gabrielle Bugat: Our biometric payment cards with integrated fingerprint reader will enable Crédit Agricole customers to make quick and easy contactless payments. They offer the highest level of security, personal data protection and performance. All one needs to do is place a finger on the impression reader to securely authorise the payment process. We’ve seen limit increases being raised on contactless cards as a result of the pandemic. This solution will mean that people feel more confident paying higher amounts without using a PIN.
We’re working with other partners, including NXP Semiconductors and Mastercard, on this, and it’s worth noting that France is a great market to try it out in, with 57 per cent of French people saying that contactless is their preferred method of payment. We forecast a real boom in this type of solution – not just because of COVID-19, although it certainly has been a trigger. As such, we’re busy developing new products.
TFM: Given there was previously a reluctance to increase the cap on contactless card payments because
of security concerns, how might this influence consumer behaviour and how might manufacturers respond?
GB: It’s an understatement to say 2020 has been a challenge for many sectors, with businesses and consumers discovering new ways of living, working, socialising and operating. As part of the new normal, card technology has come under the spotlight for its role in supporting social distancing and keeping the economy’s wheels turning.”
Security is, of course, a crucial element, providing consumers and businesses with the confidence that their account, card or device has not been compromised.
One of the latest developments is advanced biometric technology.
Visa and Mastercard have been very active in this area with the Visa Ready scheme and the Mastercard Biometric Card, which combine chip technology with fingerprints to verify a cardholder’s ID for in-store purchases.
Other security developments include tokenisation and dynamic card verification value (CVV/DCVV) technology. Tokenisation enables banks to turn an account number into a token that prevents fraudsters from identifying it. These tokens can be placed in various physical devices or used for e-commerce or mobile phone transactions.
From a card manufacturer’s perspective, G+D has a strong legacy in terms of innovating solutions and products based on necessity. We have faced global crises in the 19th, 20th and now 21st century, so we’re confident that we can continue taking on world challenges and securing payments.
TFM: Would you like to see the delay in implementing SCA used to agree a more standardised approach?
GB: With or without the pandemic, there’s a need for the industry to unite on a standardised SCA solution. Regulators need to allow enough time to put SCA into play so that customers’ payments experiences are convenient, frictionless, simple and secure, regardless of where they bank.
TFM: G+D has been at the forefront of calls for global payment standards. How might they be achieved?
GB: G+D has always been part of shaping the way we pay: it is at the core of what we do. Responding to global market demand for independent and standardised payment solutions, together with IDEMIA, last year we announced our intention to create the White Label Alliance (WLA) to provide a new security solution for next-generation payment applications. The aim is to design and maintain an open, comprehensive and standardised framework to meet the requirements of open and closed payment systems. Based on the Europay, Mastercard and Visa (EMV) standard, this solution ensures scalability for all technologies: cards, terminals and mobile devices. It’s strongly committed to open standards.
We want to thrive with our partners and evolve together. We greatly value being open and transparent in our relationships. The close cooperation within the Alliance shows the effort to define open payment specifications that benefit all end users.