The financial services industry is currently wrapped up in the buzzwords of Strong Customer Authentication (SCA), Consent, and Liability as it looks towards the deadlines of EU Payment Services Directive 2 (PSD2), General Data Protection Regulation (GDPR), and the UK’s Open Banking.
PSD2 will undoubtedly facilitate innovation, competition, and efficiency among banks and other payment institutions. While giving consumers additional choice over how they manage their money and transact online, PSD2 also calls for a heightened security standards for online and mobile payments, ensuring consumer protection. With digital fraud growing faster every year, the need for enhanced security protections has never been more relevant.
The Regulatory Technical Standards (RTS) will apply in September 2019, leaving 14 months for the payment industry to get ready for this new state of play.
At the heart of the RTS is the need for Strong Customer Authentication, allowing consumers to be better protected when making digital transactions. But first of all, it is worth understanding exactly what SCA stands for under the RTS and thus the onus on banks to provide secure transactions via their digital channels.
Strong Customer Authentication is mandatory under PSD2, and article 4.1 requires that users be authenticated using at least two separate elements out of the following three authentication factors:
Knowledge: something they know (a password or PIN code);
Ownership: something they have (a card, a mobile phone); and
Inherence: something they are (biometrics, e.g. fingerprint or iris scan).
Payment service providers need to support purchase and login scenarios that utilize and fulfill SCA requirements, while at the same time minimizing the amount of friction incurred by their users, which can result in customer frustration and abandonment.
Common forms of additional authentication use one-time passcodes sent through separate, “out-of-band” communication channels like SMS (text message) or email. While SMS and email are widely-used authentication methods, both are subpar user experiences that lead to friction. Likewise, SMS and email are insecure channels and can be compromised by malware, social engineering, man-in-the-middle attacks, and other techniques used by fraudsters.
Taking a closer look at SMS as a second factor of authentication, it appears it does not entirely fulfill the security requirements – seeing that:
Messages can be compromised and forwarded to any device
Lower level of confidence for possession requirement
Lack of malware detection after message arrives
Lack of cryptography
It does not provide secure storage on the device
The success of PSD2 will be determined by customer adoption, which will be driven by perceptions around user experience and data security. To ensure success, banks need to implement SCA solutions that are simple and easy to use for the end consumer, secure in terms of delivering Two-Factor Authentication messages to the intended/registered device and are compliant.
InAuthenticate® helps to address PSD2 requirements by enabling the mobile device to act as a trusted second factor of authentication and by providing a secure means to deliver payment or account-related authorisation messages – directly to a trusted mobile device.
Delivered as a software development kit (SDK), InAuthenticate® is a secure Two-Factor authentication solution built into an organization’s mobile app. It provides a secure means of delivering two-way, contextual messages to a registered, trusted device through a financial institution’s branded mobile app.
Putting InAuthenticate® into action in everyday scenarios:
InAuthenticate® is a tool that can help achieve Strong Customer Authentication for PSD2 while mitigating against security threats. InAuthenticate®’s ability to utilize the device as a second factor of authentication allows account and payment service providers to help meet many of the challenges of PSD2.
For more information about InAuthenticate®, click here to download the InAuthenticate® Product Use Case.
About Michael Lynch
Michael Lynch is InAuth’s Chief Strategy Officer and is responsible for developing and leading the company’s new products strategy, as well as developing key US and international partnerships. He brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specialising in security and technology leadership.
About InAuth
InAuth is a leading digital device intelligence company for a mobile-first world. InAuth delivers the most advanced device identification, risk detection, and analysis capabilities possible to help organisations limit risk, remove friction, and reduce fraud within their digital channels. With safer digital transactions, banks, payment networks, merchants, healthcare providers, governments, and other organizations are better positioned to capture new revenue opportunities and compete more effectively in an “always-on” world. For more information, visit www.InAuth.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now