Strong customer authentication: a flexible approach

In July this year, the European Commission published a proposal for a revised Payment Services Directive (PSD). The proposal requires ‘strong customer authentication’ when someone makes an electronic payment transaction. This validates identity by at least two of the following factors: knowledge, possession and inherence. These are independent, in that the breach of one does not compromise the reliability of the others, and the process also protects the confidentiality of the authentication data.

The concept of strong authentication is in itself nothing new. What is new, however, is its appearance as a detailed regulatory requirement. Until now, both the Payment Services Directive and the Electronic Money Directive contained a more generic requirement for licensed operators to show that their governance arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate.

Different market approaches to customer authentication

Traditionally, the banking sector and card schemes have been the main (if not only) payment service providers, so changes in technology and security have been introduced by these participants. Strong authentication in a range of countries became a standard for use in payments, while further security measures for use in transactions over the internet were developed as an add-on.

More recently, new Payment Service Providers (PSPs) have entered the payments value chain using the internet as their first channel for basic transaction processing. As a result, their approach to payment security tends to be based on a variety of methods, so that it can counter a range of attacks associated with this environment. PSPs have had to move very quickly along the e-payment security learning curve and found out that they must remain vigilant regarding new threats. PSPs are consistently using additional information (geo-location information, IP address matching, IP address pattern detection, industry blacklists, comparison against a customer’s existing ‘profile’ etc) to validate interaction with a user.

There is still much to gain by combining the expertise of both the established and more recent providers of payment services. Customers use all kinds of devices as a service entry point, and this requires a flexible approach to authentication. Rather than two-factor authentication, we should be considering multi-factor authentication.

The proposed PSD-requirements

The new PSD requires two-factor authentication for all payment transactions. The European Banking Authority (EBA) has been tasked with drafting guidelines on exemptions to this rule, but the underlying message is clear: only two-factor authentication does the job and other payment authentication methods are mostly relevant for low-value, low-risk payments.

Under the revised PSD, the customers of Payment Service Providers (PSPs) that do not use strong authentication cannot be held liable for unauthorised transactions unless they acted fraudulently. This will also be the case when a number of companies are involved in a chain of payments and one of them has not used strong authentication.

The drafting of further security guidance on authentication by the EBA must be done within two years of the revised PSD being agreed. However, there is still some confusion over the mechanics of appropriate ‘strong customer authentication’. The regulator finds authentication important enough to highlight it as a specific requirement, but leaves the definition of appropriate authentication methods to a new regulatory body. We believe that this does not provide the industry with enough clarity upfront.

The forum recommendations on security

In the meantime, the Secure Pay forum released a set of recommendations this year on the security of internet payments, to be applied by 1 February 2015. This forum consists of the European supervisors that have a role in assessing security of retail payments. It stresses two-factor authentication as the norm, but the requirements do not address all product arrangements. There is one set of recommendations that will cover the issue of third party access to bank accounts – expected early 2014, while another set for mobile payments is currently under consultation.

Future EBA guidelines may well draw upon the work of the Secure Pay forum. But it is important to point out that the forum recommendations do not cover payments that are exempted from the PSD such as in-house payments or low-value payments. The net effect of the current approach is that the requirements for the security for retail payments are skewed to a specific type of authentication, but do not provide supporting analysis that justifies the approach.

A flexible approach

It is likely that the envisaged inclusion of a detailed requirement on strong authentication may distort current market developments rather than allow for further innovation and market development. We would welcome a more flexible approach.

This could allow for a broader ‘multi-factor authentication’ that includes authentication based on the user-interaction context. Alternatively, this specific requirement may not be included in this revision of the PSD. It would still be relevant, but as a part of the actual supervisory reviews, during which a more balanced context-based assessment can be made.