By now, European banks should be well on their way towards compliance readiness with the second Payment Services Directive (PSD2). Although initially slated for implementation in September 2019, an extension was granted for one of the Directive’s components – the strong customer authentication (SCA) requirement – until 31 December 2020.
Given this respite, it is unlikely that regulators will accept any excuses for compliance failures after 1 January 2021, and we expect that the majority of banks will be ready. It is possible, however, that while most banks will have their compliance paperwork in order, only a few will have grasped the full implications of PSD2 and prepared accordingly.
Take, for example, the widespread use of SMS OTP as a verification tool. A KuppingerCole survey found it to be the most popular form of multifactor authentication among European banks in the lead-up to the PSD2 deadline. This technology, so clumsy and easily intercepted, seems disconnected from the aims of the Directive and suggests that many banks may not be as prepared as their executives believe they are.
There are two central goals of PSD2: to protect the consumer by encouraging the integration of the European payments market and therefore increasing the security of payment mechanisms, and to promote competition in the pan-European payments market.
Unfortunately, SMS OTP technology falls short on both.
The problem with SMS OTP
Not only can an SMS be intercepted through malware, there is also the rising security issue of SIM swap fraud, a growing concern for mobile phone networks. In recent months, there has been a sharp increase in this phenomenon, with 483 cases in the UK reported until June this year; nearly double the amount for the same period last year.
A recent high-profile example is the hacking of Twitter CEO Jack Dorsey’s Twitter account via a SIM swap in September 2019. Dorsey’s account posted rogue messaging for a full 15 minutes before his team could regain control and, although his bank account was untouched, the incident severely impacted the credibility of the platform.
Engineering a SIM swap is a relatively simple process. A fraudster – impersonating a customer using personal details that are easily accessible online – calls the mobile phone network requesting a SIM swap. With this, the fraudster can gain access to phone settings, bank accounts, and any other personal data stored on the device.
To protect consumers, the EU Banking Association mandates using a PIN or a password along with an OTP, which adds another step to the payment process. But, even on their own, using OTPs can be a cumbersome and cluttered procedure. There is often a second or two of delay before the SMS arrives, then the user has to switch screens to retrieve the OTP and switch back to continue with the transaction. On occasion, the SMS may be delayed or not arrive at all, in which case the user needs to request another OTP via SMS.
When linked with the PIN/password step, the combination satisfies the regulatory requirement, but does it fulfil the spirit of PSD2?
In the pursuit of safe, sophisticated user experience
User experience is a critical factor in terms of meeting PSD2 standards. Recent experience shows us that consumers are more than ready for seamless and easy payment processes – we see this in the rapid uptake of payment processes such as tap-to-pay and QR payments. Consumers want ease of access, and they want to feel safe while transacting.There are several alternatives to SMS OTPs or indeed SIM-based authentication methods as a whole. One that we have had a lot of success with is 3-D Secure.
To achieve reliable and robust authentication, two out of three types of customer information must be used:
- Something they own, such as a mobile phone
- Something they know, like a PIN code or password
- Something they are, such as a fingerprint or behavioral analysis
The latest version of 3-D Secure from EMVCo, a global industry consortium, uses risk-based authentication (RBA) – a method that draws on several enhanced data sources to verify identity – to passively authenticate users through their devices. This combination eliminates active step-up events for all but the most risky or suspicious transactions, greatly helping to smooth online payments for consumers.
Entersekt has improved the user experience of 3-D Secure by offering features such as automatic cardholder enrolment, interactive screens to guide the user through the process, and certificate-based push authentication and transaction signing. Only the first 3-D Secure transaction involves a step-up authentication in order to identify the consumer’s device and tie it to their profile at the bank. All subsequent transactions are a one-click-only procedure, and so far superior to OTPs in terms of ease of use.
For the consumer, it is a frictionless, smooth, and secure process, much more in keeping with the spirit of PSD2. When implemented for one customer in Europe, our method substantially reduced cart abandonment, cut fraud by 95%, and increased transaction volume by 25%. Not only did the number of transactions increase, but their value also increased by 15%, signaling greater consumer confidence in the payment process.
The road ahead for PSD2 compliance
There is no doubt that SMS OTPs tick the necessary compliance boxes, but their use signals a lack of attention to the aims of PSD2 and a lack of awareness of the increasingly vigorous competition in the online payments industry.It will be user experience that determines market share, and it’s possible that only a small percentage of merchants have grasped this simple message. This lack of understanding may be, in part, because banks have traditionally focused on providing financial products rather than the importance of user experience. Tech companies are more inclined to focus on problem solving and creating a positive experience for the user.
Over the next few years, we expect to see increasing collaboration between banks and tech firms as competition surges, and it will be interesting to see how a new dynamic develops. New players will enter the market, while some will disappear. We are at the beginning of a new era, and regulations like PSD2 will have a substantial impact on the market. While compliance is, of course, a critical issue, focusing only on this could mean the difference between success and failure. To be competitive, current industry participants should pay closer attention to the subtext of the regulation and the preferences of their customers.
