It’s been a few months since we checked in on the EU’s second Payment Services Directive (PSD2) with many headlines instead choosing to focus on California’s GDPR companion, CCPA. However, now that most businesses have taken care of their local and international privacy regulations, it’s a good idea to take a look at the other looming threat to your business should you be caught unprepared.
As a quick refresher, PSD2 is meant to open the banking industry, unsealing records for Fintechs in order to provide a more competitive landscape and streamline the process for consumers. But the portion of PSD2 that nearly all e-commerce companies will want to focus on is the element of Strong Customer Authentication (SCA) which is what we will focus on today.
In the past, most consumers would make an online purchase by logging into an account, entering their credit card information and clicking ‘buy.’ It’s a simple enough process but largely unsafe. Hacking user credentials and passwords is easy for even a pedestrian fraudster through use of brute force attacks, SCA is meant to protect consumers from these types of account takeover. Now, every card not present (CNP) transaction that touches the European Union will require extra steps.
When is SCA required?
Article 97(1) of the directive requires that payment service providers use strong customer authentication where a payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
SCA is further defined as:
Article 4(30) defines “strong customer authentication” itself (as multi-factor authentication):
an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data
So to encapsulate, if a user makes an online purchase or transaction; two of three elements are required. Typically this will be something the user knows (password) and something the user possesses (phone, or more specifically a one-time passcode sent to a phone) in order to be compliant. This means standard two-factor authentication makes a business compliant, free from violations and fines.
Friction and Churn
One thing businesses might want to keep in mind with multi-factor authentication is that it will increase friction and churn. Friction is defined as hurdles that prevent a process from being completed, in this case inputting a one-time passcode onto an e-commerce site following a password. The vast majority of these transactions will process as normal, but a small percentage will be abandoned because of this additional step. This is known as the churn.
SCA does allow for the 2FA step to be bypassed under certain conditions. One would be that the transaction is under $33. Another time you can bypass multi-factor authentication is by leveraging digital identity.
Digital identity is defined as looking at the metadata behind a phone number ie a digital footprint. Carriers have a certain amount of information on file about a user, and companies like TeleSign help e-commerce platforms keep their users safe by matching this information quietly in the background in risk prediction models that satisfy PSD2 and SCA. For businesses trying to provide a seamless experience for their users and eliminate friction, digital identity is an effective, safe way to keep revenues up and customers happy. To learn more about TeleSign’s digital identity solutions or more about the pending PSD2 compliance deadline in December of 2020, talk to your TeleSign Account Director today.
TeleSign has been connecting and protecting online experiences for over 15 years. We support 21 of the 25 largest web properties in the world and we’re prepared to help you. Contact TeleSign now and learn more about how to keep your platform safe.