Technology, Customer Authentication and PSD2: payment service providers (and retailers) - are you ready?
25 March 2019
Apparently, we will, globally, spend some $4.9 trillion in e-Commerce transactions by 2021. Smartphones generated over 42% of eCommerce revenues in 2018 and there has been a ten-fold increase in biometric smartphones in the last two years. However, against the backdrop of our increasing transactional reliance on smartphones and other mobile devices, e-Commerce fraud increased by 33% in 2016. This put pressure on the EU to keep up with the way in which we shop and to enhance consumer protection by reducing the potential for fraud.
From 14 September 2019, we can welcome PSD2. While consumers long for simple and fast
e-Commerce experiences, payment service providers will be required to introduce additional security measures on payments. To achieve this, PSD2 places an emphasis on “strong customer authentication”.
The Commission Delegated Regulation (EU) 2018/389 (which supplements Directive (EU) 2015/2366) sets out the regulatory technical standards for strong customer authentication when a payer accesses online payments, initiates electronic payment transactions or carries out any action through a remote channel which may imply a risk of payment fraud.
Enhanced strong customer authentication
Most of us will have experienced the security features of ‘Verified by Visa’ or ‘Mastercard SecureCode’, which provide an additional level of security for certain bigger-ticket transactions, by requiring the customer to provide proof that we are who we say we are (by entering further security details, such as specific characters from a password). Until now, these features have been voluntary and at the instigation of the payment service provider. PSD2 introduces a requirement for payment service providers to apply a dual authentication process for each of the transactions mentioned above.
The dual authentication process will depend on access to two of the following
- Something you know (e.g. pin or password);
- Something you possess (e.g. mobile phone); and
- Something you are (e.g. biometrics or facial recognition).
Although this may not impact your in-store grocery shopping experience (since ‘card present’ transactions via chip and PIN will supply the necessary dual authentication – something you know (PIN) with something you possess (card)), it is likely to change how you make larger payments or payments online. When shopping online, after entering your card details and security number (something you know), dual authentication may be triggered whereby you will be sent a unique, one-time authentication code by text message to your mobile phone (something you possess). To date, this has been optional for payment service providers, but, from 14 September 2019, this will be mandatory and will be the default position, unless an exemption applies. Some payment providers have already started introducing dual authentication, including whitelists of trusted beneficiaries (see below).
There are exemptions listed in the Regulation, including where contactless electronic payments do not exceed €50 and cumulatively do not exceed €150, although every fifth transaction will still require strong customer authentication. Similarly, there will be an exemption for remote electronic payment transactions that do not exceed €30 and where the cumulative amount of the transactions does not exceed €100. Again, every fifth transaction will require strong customer authentication.
Other exemptions include where the payer creates a list of whitelisted trusted beneficiaries in advance, and when a payer creates a series of recurring transactions for the same amount with the same payee (such as subscriptions). However, strong customer authentication will be required to set up or amend the lists, and payment service providers will have the option to conduct ‘spot checks’, imposing requirements for strong customer authentication.
When implementing dual authentication as a payment service provider, it is key that you understand your obligations if wishing to apply the exemptions, particularly in relation to recording and monitoring the necessary data, which must be readily available for review by competent authorities on their request.
Although it is the responsibility of payment service providers to implement measures of authentication, retailers and other merchants should be seeking to engage payment service providers who can demonstrate lower fraud rates, and frictionless technology, as this will allow for a smoother consumer payment experience with fewer challenges.
For more information about steps that you should take in preparation for the Regulation, please get in touch with Owen Watkins or James Gill.