[PODCAST] 5 Simple Rules for PSD2 Strong Customer Authentication Success

Chief Legal Counsel, Martin Walsh, and Head of Pre-Sales of EMEA, Eric Gilmore, discuss the 5 Simple Rules for PSD2 Strong Customer Authentication Success. You can also download our free guide about PSD2 SCA to accompany this week's episode and keep you fully informed about the approaching compliance September 2019 deadline. 

Check out more from our new podcast series and hear from various Daon leaders on the latest trends and hot topics driving the identity industry.

 

Read more
The Real World of Implementing Strong Customer Authentication from the SCA Summit

Guest Post by Eric Gilmore, Head of Pre-Sales Consulting, EMEA at Daon

Daon’s EMEA team recently attended the SCA Summit in London, an event that focused on getting ready for Strong Customer Authentication under PSD2. It’s certainly topical with the deadline for implementation of the Regulatory Technical Specifications (RTS) in mid-September this year. There was an array of speakers from banks, schemes, the UK regulator and solution providers. Daon’s Chief Architect, Paul Kenny, participated in an expert panel on the day.

Here are some of the things we learned (or were reminded of) and that could be useful for others in the midst of implementing solutions for the RTS:

Among the comments made by Caroline Ambrose of Barclays, the core theme was to think of the impact across all categories of customers. She identified six – including those for whom fraud has not just financial but emotional consequences. A key theme for her was thoughtful and iterative communication around the changes that are coming. Daon’s advice in this area includes offering options to customers and using a consistent authentication method.

  • Duncan McIntosh from RBS talked about how the bank is bringing in a multi-factor authentication platform that gives them the best methods of authentication available in the industry. He emphasised the RTS’s requirement for independent methods, where having the ability to use server biometrics is valuable, such as being able to capture a face during onboarding and then use it for key security events during the customer’s lifetime. RBS is looking at reducing the use of card readers and SMS OTPs over time and moving towards mobile app authentication, with device risk assessment factors and biometrics as key elements.
  • Caroline Birchinall from Visa talked about how use of the new generations of 3DSecure will help merchants and their processors as well as the acquirers and issuers to be compliant with PSD2. The upcoming 2.2 version will provide the best authentication experience with biometrics, and Visa will mandate European issuers to have a biometric option from April 2020. While adoption of 3DSecure amongst merchants across Europe is still low, the UK is a good example of how a well-implemented 3DSecure solution can reduce both fraud and transaction abandonment rates. With the risk-based method commonly used by UK issuers, abandonment rates are at 3% even while there is a higher rate of usage of 3DSecure than in other markets at 26%. It is clear from this presentation and others that awareness of the potential impact of the RTS amongst merchants and perhaps their processors is not yet sufficient – according to Visa, adoption of the latest 3DSecure versions is vital to reduce friction at checkout. For issuers, using biometrics is one of the key steps to prepare for SCA.
  • Amongst the topics addressed by Rob Woods from Lloyds Bank were attention to detail and testing in how you communicate when signing customers up for new authentication methods - in their experience, every word matters.
  • Tim Richards from Consult Hyperion also emphasised that from his consulting work with merchants, he sees that low levels of rollout of 3DSecure amongst merchants and how this will be a barrier to ensuring that payments are compliant with PSD2. Adaptation of ACS technology will be key. Later last week, the EBA acknowledged this concern around the readiness of the European Ecommerce marketplace – we’ll have an update on their latest communication on our blog soon.
  • Representing the UK’s national competent authority and banking regulator, Alex Roy from the FCA spoke about how innovation in payments, which the FCA encourages, can be followed by misconduct. This is why the FCA is encouraging pragmatic adoption of the RTS, including careful use of the exemptions allowed to reduce friction.
  • In the afternoon panel, Paul Kenny, Daon’s Chief Architect for EMEA was among the speakers along with representatives from Starling Bank, Visa and experienced consultants. There was a good deal of discussion around the understanding of the RTS in the industry and readiness for the fast-approaching September deadline. Paul was amongst those to point out some of lesser known aspects of the RTS including the need to use a two-factor authentication approach during the registration of the credential to be used during SCA (and for lost credential resets). Starling Bank is in the enviable position of having all its customers enabled for multi-factor authentication via its mobile app (as well as being API-driven) – the panel agreed that other payment service providers see this as a key method of authentication but may use lesser approaches at the deadline and then plan follow-on projects to attain a better customer experience. This could be a key differentiator between providers in the market, though, so they won’t want to wait too long.

         SCAPanel

Despite the difficulties that could lie ahead in the short term, the panel agreed that SCA has the potential to reduce fraud by introducing multi-factor authentication, and when implemented with care can offer a good user experience.

Daon has been offering organisations a platform that is inherently multi-factor since we launched IdentityX. We are ready to help payment service providers to implement convenient, compliant multi-factor authentication and looking forward to increasing trust in payments in Europe.

For more information, contact us at info@daon.com.

Download our “5 Simple Rules for PSD2 Strong Customer Authentication” guide here.

Read more