European Payments Regulators Call for the End of Single-Factor Authentication

On December 19, 2014, citing an increase in fraud, the European Banking Authority (EBA) published its Final Guidelines on the Security of Internet Payments. These guidelines detail minimum security requirements that payment services providers (PSPs) supervised by financial services regulators in the EU were expected to satisfy by August 1, 2015.

As of the end of May 2015, 24 national regulatory authorities in the E.U. stated that they would comply with these guidelines, two (Cyprus and Sweden) indicated partial compliance, while three (Estonia, Slovakia and the U.K.) indicated they would not comply.

The payment services that fall within the scope of these guidelines include all Internet payment services, irrespective of the access device used, that involve:

  • The use of most payment cards, including card registration for use in digital wallets;
  • The transfer of funds out of customers’ bank accounts (through credit transfers or the issuance of direct debit mandates); and
  • E-money transfers between two e-money accounts.

These guidelines do not apply to mobile payments where a payment instruction is provided through a dedicated payment application executing on the customer’s mobile device or to the use of short message service (SMS) technology.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant. Many will have to deploy additional security controls, revise user-facing processes and require that their online merchants and third-party service providers can satisfy these requirements.

Further complicating the regulatory landscape for PSPs is the impending adoption of the final text of the Revised Payment Services Directive (PSD2) later in 2015. PSD2 also includes specific security requirements on customer authentication that are similar (but not identical) to the requirements in the EBA guidelines.

The impact of some of these requirements on the operational processes of many payment service providers (PSPs) will be significant.

The expectation is that after adoption by the EU the PSD2 will be transposed into national legislation over a period of 24 months. At that time, PSD2 requirements will supersede the EBA guidelines in the supervisory frameworks of national regulators that have chosen to comply with them.

End of the line for single-factor authentication?
To attain strong customer authentication under EBA guidelines PSPs must deploy procedures that use a minimum of two independent authentication elements – categorised as knowledge, ownership and inherence. Furthermore, authentication procedures are required to incorporate at least one element that is non-reusable and non-replicable and not “capable of being surreptitiously stolen via the internet.” Importantly, inherence-based authentication elements like biometrics are excluded from this requirement.

The impact of this requirement is compounded by the EBA’s apparent adoption of a loose definition of sensitive payment. A wide range of the personally identifiable information (PII) held by PSPs falls within the scope of this definition.

The introduction of these guidelines is expected to further accelerate the ongoing migration of PSP customer authentication processes from single-factor authentication (SFA) to multi-factor authentication (MFA) procedures. The use of static password/user ID credentials will likely be limited to controlling access to less sensitive account overview/profile.

Using the mobile communications channel
Since many PSPs are unlikely to distribute hardware tokens/cards to their customers, wider use of the mobile communications channel to support a MFA customer authentication procedure should be expected. Many PSPs already offer their customers dedicated mobile applications for most mobile device operating systems.

Extending the use of such applications to generate a one-time password (OTP) that is subsequently entered by the customer as part of a multi-factor authentication procedure may be an approach favoured by many PSPs regulated in the E.U. The use of SMS-based solutions to deliver an OTP to a registered customer mobile device could be an alternative approach.

Biometrics going mainstream
The growing availability of biometric-based authentication on consumer mobile devices provides an opportunity for mobile application developers to use them as part of a MFA process. As stated previously, the use of a biometric authentication element in an MFA process allows a PSP to satisfy these EBA guidelines without needing to bear the cost/complexity of deploying an infrastructure that generates and distributes one-time passwords over an alternative channel.

The EBA guidelines introduce explicit requirements for PSPs that issue payment cards to register their cards for use with strong customer authentication services; digital wallet providers are required to support the use of such services for card registration and subsequent payments. PSPs that acquire card payments are also required to support the use of strong customer authentication services.

The language used appears to point to the use of solutions based on the 3D Secure extended cardholder authentication protocol for online payments. It must be noted that legacy 3D Secure variants that use static passwords do not meet the EBA definition of strong customer authentication. In the past, PSPs have been wary of the deployment of 3D Secure solutions since they are perceived to increase friction in the customer experience and lead to increased numbers of failed/abandoned transactions.

Transaction risk analysis
The EBA guidelines allow PSPs to use alternative customer authentication solutions for low-risk transactions. To limit the scope of strong customer authentication sessions, PSPs are increasingly using automated transaction risk-analysis tools to monitor and assign risk ratings to attempted transactions on a real-time basis. A number of these tools offer a dynamic reconfiguration capability coupled with enhanced “learning” abilities.

Impact on customer experience
The impact of the adoption of these guidelines by EU financial services regulators on Internet payment interactions of non-EU customers could be significant. Global PSPs that are regulated in the EU are expected to change customer authentication procedures, their website design and a number of back-office processes to comply. Over a period of time, such changes are likely to be extended to instances of their payment services offered to non-EU customers to maintain a consistent customer experience.

This article was written by Dimitrios Markakis, Senior consultant at Flawless Money Ltd 

First published in n>genuity journal-