As the European PSD2 regulation rolls out, more online payments will follow Strong Customer Authentication (SCA) requirements for better security. This doesn’t have to impact the customer experience.
The Payment Services Directive (PSD) is a European directive launched in 2009 to regulate payment service providers throughout the European Economic Area (EEA). It was designed to increase competition across the EEA and harmonize consumer protection and the rights and obligations of payment providers and users.
The PSD2 is a revised directive with updated authentication requirements. Based on the latest deadline, by the end of 2020 service providers and merchants must comply with the PSD2. This means having an authentication framework that meets the Strong Customer Authentication (SCA) requirements.
The SCA requirements are seen by many as additional and cumbersome verification steps for users, but the PSD2 is a global effort to improve the ecosystem as a whole to help more players offer online services securely. Many of its objectives are interconnected:
- Increase consumer protection.
- Increase customer trust through fewer declined transactions.
- Decrease friction.
- Allow faster innovation and competition.
- Level the playing field for all providers, including new ones.
But let’s talk about the verification process. The Strong Consumer Authentication requirements under PSD2 wants companies to authenticate their users by at least two of three SCA authentication requirements, creating an enhanced two-phased authentication. The two factors must be independent of each other and not from the same category. These authentication categories are:
- Knowledge: something you know, like a PIN, password, or memorable information.
- Possession: something you have, such as a chip card, smartphone, or key fob.
- Inherence: something you are, commonly an iris scan, the sound of your voice, fingerprint, or how you interact with a device.
While some players are concerned this will add friction to their customers, the choice of tools to follow the SCA requirements will give companies an opportunity to keep friction to a minimum.
In addition, not all transactions need to be authenticated by two of the SCA requirements; some transactions are exempted. Prepaid gift cards, mail and telephone orders, and merchant-initiated payments, for example, are not subject to SCA. Low-value and recurring, same-value transactions, white-listed purchasers and secure corporate accounts may also be added to exception lists.
Merchants will need to offer SCA-compliant authentication methods and have other requirements in place for their consumers in EEA countries by December 31, 2020, with the exception of the U.K. which has until March 31, 2021. Migration plans are mainly coordinated by the national banks of each country, while six EEA countries have formed a collective to migrate together: U.K., France, Spain, Netherlands, Belgium, and Luxembourg.
How can companies follow PSD2 with minimal friction?
The two parameters required for SCA leave merchants and payment providers a variety of choices on how to authenticate their users. Companies can leverage existing technologies and combine those that require the lowest effort for the consumer.
The inherence requirement includes user-friendly authentication methods such as fingerprint scans or even passive biometrics. With passive biometrics, the user verification can be done through how they interact with the device (how they type, for example), which is seamless to them.
Companies can combine this inherence requirement with the possession requirement by sending a code to the consumer’s device or simply leveraging technologies that recognize a device in real time – such as looking at the device ID – without asking any additional information from the user. NuData, for example, analyzes hundreds of behavioral traits such as how users scroll their phones or type, and determines device possession based on the intelligence shared during the transaction.
There are different options to execute the SCA requirements without adding friction to the user or by applying user-friendly friction. This two-phase verification framework is offered today by NuData, an award-winning passive biometric company.
NuData can help guide service and payment providers to the most seamless PSD2 experiences for all types of devices.
For related reading- Can you tell who the real user is?