QED Conference on Customer authentication and common ...€¦ · qualitative security requirements....
Transcript of QED Conference on Customer authentication and common ...€¦ · qualitative security requirements....
MEMORANDUM
QED Conference onCustomer authentication and common& secure communication under PSD2
Mr Basquill reminded delegates that
PSD2 comes into effect across the EU inJanuary 2018, but has already been
transformative for swathes of the industry
from the largest global banks to FinTechstart-ups. He said that one of the most
eye-catching changes is that two types ofthird-party provider – for payment
initiation services and account
information services – will be permittedto gain access to consumers’ bank
accounts. Moreover, banks are actuallyobliged to allow those service providers
access. Mr Basquill commented that the
final text of PSD2 left a few loose ends,such as how payments can be
authorised securely, and how the thirdparty access model works in practice. To
resolve some of these points, the EBA
published its draft Regulatory TechnicalStandards (RTS) for consultation. “The
draft RTS itself caused a few ripples in
the industry,” he commented, “which welook forward to discussing at this
conference.”
Dr Haubrich introduced the EBA, itsscope of action and output to date, which
since its creation in 2011 includes the
issuance of over 200 legal instrumentsand 100 reports. He said that PSD2
conferred on the EBA the developmentof 11 mandates, and he briefly explained
each one. He focused on the mandate
on strong customer authentications(SCA) and common & secure
communication (CSC) under Article 98 ofthe PSD2. For this mandate, the RTS is
to be submitted to the European
Commission in January 2017, and will bescrutinized by the Commission as well as
John BasquillEditor, Payments Compliance (moderator)
2Memorandum – Customer authentication and common & secure communication under PSD2 |
Dr Dirk HaubrichHead of Consumer Protection, Financial Innovation & Payments, European Banking Authority
the European Council and Parliament
over a period of at least three months.Once the Commission adopts and
publishes this particular RTS, it will be
applied 18 months later, so no earlierthan October 2018. Dr Haubrich talked
about the challenges facing the EBA indeveloping the RTS on SCA and CSC.
These include delivering the mandate by
the deadline of January 2017 whilegetting early input; developing security
requirements that are not only anenhancement for existing payment
services, but also facilitate the orderly
functioning of the new services that areintroduced through PSD2 and mitigate
the specific risks associated with them;finding appropriate trade‐offs between
various competing demands which he
described in detail; and developing theRTS within the confines of the provisions
and definitions in PSD2. Dr Haubrichthen talked through each chapter of the
consultation paper, starting with the SCA
procedure (1); exemptions to SCA (2);protecting user credentials (3); and
standards of communication (4). In allareas he expressed great interest in
hearing the industry’s views on the
proposals (the consultation period ends12 October 2016). He also stated that
the publication will include a ‘feedback
table’ that lists all the comments the EBAhas received, and will explain whether or
not amendments have been made, andwhy.
3Memorandum – Customer authentication and common & secure communication under PSD2 |
Mr Olbrich stated that the EBA’s positionon authentication for electronic and
mobile commerce transactions, if
implemented as described, will disruptthe payments industry across all 31 EEA
Member States. “Any single form ofmulti-factor authentication of payments
beyond a risk-based approach by a bank
or payments provider is not the rightanswer,” he said. As an illustration, in
2015 PayPal implemented 3DS cardauthentication for the first time, and
experienced directly the highly disruptive
effects on the European digital market.After testing this with several million
consumers across all 31 EEA MemberStates, average failure rates of 40%
were recorded, with a peak of 51% in
Germany alone. PayPal was obliged to
quickly adjust its 3DS approach in viewof this massive push-back of its user
base. Mr Olbrich said that this
demonstrates that any security policysetting blanket restrictive criteria,
regardless of any risk-based approach,are doomed to fail. He said that the EBA
should set quantitative minimum levels of
fraud: payment providers failing to meetthese benchmarks can then be
mandated to comply with more rigidqualitative security requirements. He also
asked that various exemptions for strong
customer authentication like transactionsunder 10 euros or for the same amount
in the same location, be reviewed in amore pragmatic way. In closing, Mr
Olbrich suggested that “an overly
prescriptive, security managementsolution across Europe simply opens up
the door for massive infiltration by globalfraudsters who are daily evolving their
capabilities. Therefore it is critical that
the EBA develops a risk-basedauthentication measure to allow payment
service providers to effectively and on anongoing basis, address these
challenges.”
4
Luke OlbrichHead of EMEA Core Payments, PayPal Europe
Memorandum –Customer authentication and common & secure communication under PSD2 |
In Mr Schardt’s view, security is key, and
should the draft RTS be adopted asproposed in the consultation paper, it will
sooner or later shut payment initiation
services (PIS) – considered the mostsecure payment method, accounting for
60 million transactions per year inEurope – out of the European payments
market. He said that Article 19 of the
draft describes a dedicatedcommunication interface which would be
mandatory for PIS to use to access thecustomer bank account. Banks would be
given the opportunity to foreclose PIS
direct access via the existing consumeror online banking platform, even though
PIS is a safe and proven solution fornearly 15 years. This is in stark contrast
to what the PSD2 text provides; it
guarantees PIS the direct access via theweb interface of a customer interface or
PSD2 text provides;it guarantees PIS the
direct access via the web interface of acustomer interface or online banking
platform and rejects a particular business
model for the provision of paymentinitiation services. He described it as a
political compromise that does notcorrespond to market reality. In closing,
Mr Schardt urged EBA to respect the
political will of PSD2 and provide a trulylevel playing field without making a
banking independent service dependenton a bank’s goodwill.
5 | Memorandum – Customer authentication and common & secure communication under PSD2
Georg SchardtManaging Director, Sofort
Mr Martin pointed out page 47 of theRTS – Options Considered – and in
particular the fourth one (Scope of
Exemptions), which he says is resolvedwith a very prescriptive approach which
was a big surprise to MasterCard. MrMartin outlined five points of concern on
this issue. First, independence of devices
which will not work in today’senvironment nor in the future of the
Internet of Things. Here, clarity on whatsegregation means in practice is needed.
Second, biometric authentication which
provides a good consumer experiencebut the draft leaves some questions
open. Third, emerging payments such aswallets and virtual cards and their
authentication for every transaction,
which is considered too strict. Fourth, the
exemptions for contactless and remote
transactions, which should be reviseddue to gaps, for example tollways. Fifth,
demanding customer authentication for
every single transaction is in conflict withEBA’s own guidelines, will lead to
increased friction and abandonment oftransactions, and could slow down the
development of e-commerce in Europe,
and compromises the objectives of theEuropean Commission to promote a
digital single market. On the topic ofcard abandonment, Mr Martin said that
card issuers should retain their ultimate
right to approve or decline a transactionif SCA was not offered (by a non-EEA
merchant) – notwithstanding the fact thatissuers must be prepared for SCA.
One point – when talking about “car
abandonment” may be missing. Thepoint was that issuers should retain their
ultimate right to approve or decline atransaction if SCA was not offered (by a
non-EEA merchant) – notwithstanding
the fact that issuers must be prepared forSCA. Dr Haubrich acknowledged this
concern as important and said it wassomething that the EBA would need to
raise to the EC, who should in turn
decide.
6 | Memorandum – Customer authentication and common & secure communication under PSD2
Esteban MartinVP Industry Engagement, European Market Development, MasterCard
“95% of transactions are authenticated in
the background by risk profiling, using100 variables,” remarked Ms Webb. “The
issue we have with the RTS as currently
drafted is that it might stifle innovation,and stifle the motivation to actually
continue with this risk profiling anderadicate fraud.” She explained that in
many cases, two-factor authentication is
simply not necessary, and breaks themodel of a positive consumer experience
that banks are driving towards.Furthermore, in her opinion, it will not
reduce fraud levels. Ms Webb also has
issues with the exemptions and wherethey are applied. Currently, merchants
have the ability to over-ride the secondfactor of authentication and apply a one-
click solution or an invisible payment
solution; the latter is becoming
increasingly used. Applying two-factor
authentication as described may stiflethat, and again lower the experience for
consumers. She called for creativity to
tackle this problem, rather than rigiditywhich hampers innovation.
According to Mr Fletcher, Deutsche Bankregards PSD2 as landscape changing,
and is looking forward to it providinggreater opportunities to work with
FinTechs. However, he sees two-factor
authentication as restrictive, and wouldprefer to see risk-based principles being
applied. He is particularly concerned thatthe types of authentications presented in
the RTS are not suitable for large
corporate payments, which must not be
7 | Memorandum – Customer authentication and common & secure communication under PSD2
Sarah WebbManaging Director, BarclayCard
Angus FletcherDirector, Global Head of Market Advocacy GTB Product Management, Deutsche Bank
held up in any way. He also questions
the role of PIS providers in the corporatespace. Mr Fletcher also addressed the
roles of PIS providers and account
information service providers, and saidthat it’s critical for a bank to trust them if
they are going to access the bankaccounts of customers. To do that, any
centralised database of authorised
providers must be accessible to banks inreal time. Finally, he stated that there
should be a standardised API approachacross Europe.
A delegate (an account information
services provider) in the audience
believes that a solution should includethe API but should not exclude the AIS
provider from using the direct onlinebanking site to request information
belonging to a user. Mr Olbrich said that
PayPal already uses a number ofproviders around Europe to offer instant
top-ups to accounts; effectively throughonline banking. His concern is that
access to accounts would increase
without there being sufficient insurancesor standards in place. Mr Schardt said
that he is fine with using a proper API if itwould be in place, as long as it would not
be mandatory, and that if it didn’t work
properly, there must be the possibility toswitch back. Dr Haubrich pointed out that
the PSD2 already says that if theinterface that is provided by the bank is
not available, , then reverting back to the
old way is perfectly possible. Mr Fletchersaid that it’s in the interests of Deutsche
Bank to have an open API, and this issuehas huge ramifications on its processes
and systems.
8 | Memorandum – Customer authentication and common & secure communication under PSD2
Open discussion
“It’s not a case of trying to protect whatwe have, it’s about ensuring the safety
and security of the bank accounts of our
customers, which involves workingclosely together with new payment
service providers.”A delegate pointed out that a bank will
have to open up their infrastructure to
TPPs, but wanted to know if that appliedfrom January or October 2018. Dr
Haubrich said that PSD2 applies fromJanuary 2018 when accounts will be
“open, for lack of a better word” and that
it is explicitly stated that banks are not ina position to block transactions or block
access by TPPs from that date onwards,and that the PSD2 provides for the
security requirements to come in at a
later stage, namely October 2018 at the
earliest. Mr Basquill brought up the topicof fraud, and commented that although
fraud has increased in absolute terms
over the recent years, it has decreasedproportionately considering the growth of
e-commerce. Ms Webb said thateveryone is motivated to deal with fraud
and to reduce the level of fraud even
further. She thinks that the application offurther authentication steps on top of risk
profiling will have a direct impact on e-commerce. Mr Olbrich pointed out the
rapid evolution of fraudster technology:
“in six months’ time, anything that isdefined from a qualitative point of view
will be out of date.” This is why PayPalisn’t going to rely on a single solution but
will put in their own risk-based
authentication. To a question on the use
9 | Memorandum – Customer authentication and common & secure communication under PSD2
of biometrics, Mr Martin said that
MasterCard is launching a new pilotprogram to help shoppers improve the
security of their transactions by taking
photos of themselves (Selfie Pay). In theRTS, he is concerned about the lack of
clarity on biometrics, especially as it’s abig area for mainstream innovation. Dr
Haubrich acknowledged the importance
of the point raised earlier by Mr Martin oncard abandonment (that card issuers
should retain their ultimate right toapprove or decline a transaction
if SCA was not offered), and said it was
something that the EBA would need toraise to the EC, who should in turn
decide.
A final question from the floor was
whether the EBA would enable the RTSto be reviewed in regard to the impact of
the rules on the market. Dr Haubrich said
that the PSD2 provides that the RTSshould be reviewed on a very regular
basis to take into consideration fastmoving technology.
10Memorandum – Customer authentication and common & secure communication under PSD2 |
Sponsored by:
Media Partner: