Without a doubt, the Payment Services Directive (PSD2) is set to bring about major changes in the European financial services industry. As dictated by the European Commission, the Directive seeks to regulate payment services throughout both the European Union (EU) and European Economic Area (EEA).
The Directive has raised many questions among banks and other payments providers. According to EBA chairman Andrea Enria, there are 300 different “concerns and clarifications” regarding the Directive. However, the EBA seems to be poised to make some concessions, including relaxing the proposed rules on the requirement for strong customer authentication.
One of the more strident objections is the fear that when organisations are forced to tighten their security controls, they will experience financial losses from declined or abandoned transactions. The situation is typically discussed in terms of a tradeoff. A compromise. An “either-or” proposition. In other words, either you batten down the hatches with tighter security controls and you get more friction, or you provide a frictionless experience for your customers, but increase the risk of fraud.
But it doesn't have to be this way. “Strong customer authentication” doesn't have to be accomplished by putting up more cumbersome barriers. It can be accomplished through the use of multi-factor authentication (MFA)—a method of confirming a user's identity by layering a combination of different components, either something the user possesses (for example, an ATM card), something that the user knows (eg their PIN number), or an attribute that is inseparable from the user's identity (eg a user's fingerprint). Using a combination of two or more of these components creates a layered strategy with stronger security and can, in fact, make transactions easier for trusted customers.
The potential for achieving this balance is currently greatest in mobile. Mobile devices contain hundreds of identifying attributes. Technology now exists that draw these attributes together to form a unique permanent device ID which can serve as a component in an organisation's multi-factor authentication strategy (specifically, establishing the device as something the user possesses). Browser technology is also advancing to stay ahead of fraudsters. There are next generation browser solutions emerging that incorporate deep scientific advances in machine learning, statistical analysis, and data analytics and may be a substantial benefit in multifactor authentication.
While PSD2 requirements have raised many questions in the financial industry, banks do not have to sacrifice providing a seamless customer experience for increased security. Having a thorough understanding of the technology solutions available can help organisations strike the right balance between tighter security and a frictionless experience that won't impede transactions.
Contributed by Sunil Gossain, senior vice president, InAuth
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.