Skip to main content

Can the PSD2 really deliver an explosion of fintech innovation? Possibly. But only if consumers trust the exciting new services. That puts authentication at the heart of the legislation. Last week’s MEF Connects Digital webinar took a closer look at the topic.

The Payment Services Directive 2 is here. And four communities are very excited about it.

First up are the consumers. They’re rubbing their hands at new products that will make shopping easier and organising their finances more fun.

There are the banks. Some are nervous, but many see themselves as well-positioned to  build families of exciting products around their core account services.

Watch the MEF Connects Digital panel in full

Then there are the fintechs. With API-based access to accounts, they are finally free to re-invent traditional financial services products.

And finally, the fraudster community. Oh, what an opportunity for them. They are scrutinising all the amazing new products mentioned above. And they’re thinking: we can spoof every one of them.

Yes, criminals. Blasted criminals. Always there ruining things for the rest of us.

Of course, the regulators are well-aware that their audacious attempt to shake up payments legislation (and make it fit for purpose in a mobile-first e-commerce world) is being watched by fraudsters. Which is why they have made ‘strong consumer authentication’ central to the directive.

Throughout history, every big or remote transaction has required two questions to be answered:

  1. Who are you?
  2. How can you prove it?

In the ‘card not present’ world of online payments, answering these questions is especially tricky.

Hence ‘two factor authentication’ (2FA).

PSD2 specifically says: “Two-factor authentication will be required for all electronic payments…”. It lets the transactional parties decide which two from ‘something you have’, ‘something you know’ and ‘something inherent” to use.

However, as experts in the authentication space know, this stuff is not straightforward. No form of authentication yet invented is entirely fraudster-proof.

The MEF has plenty of authentication experts among its membership. Two of them shared their thoughts on the topic in a MEF Digital Connects webinar supported by CLX Communications.

They were Andrew Bud, Founder & CEO at iProov and Rob Malcolm, VP of Marketing & Online Sales at CLX.

Here are the big take-aways of the session.

1. Don’t forget: the legislation hasn’t actually said what strong consumer authentication (SCA) is yet.

The European Banking Authority (EBA) has said PSD2 requires strong consumer authentication. It has set out draft standards for the industry to consider in its Regulatory Technical Standards. But they will not be agreed until September 2019.

2. The law doesn’t say anything about what kind of biometrics you can use

Fingerprint and face are dominant for now (in mobile), but who knows what’s next? “The law doesn’t say you can’t have elbow authentication’, said Bud.

3. Prepare for a debate about on-device vs cloud-based biometrics

Should you authenticate ‘something you are’ (i.e. biometrics) locally on your device or by transmitting it to remote servers? Andrew Bud built his iProov company around the latter. But either approach is permissible.

4. Mobile operators have a role to play in preventing fraud

MNOs have insights on customers that can help catch criminals. They’re already using location APIs to determine whether a person is in the same vicinity as their credit card – or to examine billing history to see if a SIM swap has been recently made. Rob Malcolm says there’s an opportunity to do more. “We hope the can do more with operators to build risk profiles related to a particular transaction.”

5. Mobile digital commerce is entirely exempt

Paying by DCB for digital goods requires no authentication (for purchases under 30 euros). Here’s an opportunity, said Andrew Bud. He recalled that the first wave of mobile content purchasing succeeded entirely due to its lack of friction. “It didn’t have much else going for it!”

6. The ‘dynamic linking’ issue needs to be clarified

PSD2 mandates that ‘for payment transactions, the authentication code has to be dynamically linked to the transaction details.’

In other words, you can’t just sent a passcode with no details on it.

7. Some confusion around the authentication medium being different from the transaction medium

The directive states that the device making the authentication must be different from the device on which the payment is being made. So can a person buying on a mobile site authenticate with a fingerprint on the phone?

Bud said the directive allows for different channels to be used on the same device. But he said there was less clarity around authentication that “relies on the integrity of the device.”

8. The law will be good at catching stupid criminals

Without doubt, 2FA and SCA will expose fraudsters who make blunt attempts to ‘be’ someone else. But cleverer criminals will be thinking up new and convincing scams.

9. Look out for ‘shimming’ of new payment apps

As ever, fraudsters will be looking for ways to fool consumers into believing their copy of a product – a shim – is the real thing. “The real issue is with any kind of credential that can be shared in a human way…so there’s a risk of a bogus app that shims the real PSP app, gathers the permission from the user and then re-directs it to fraudster.”

10. Voice commerce doesn’t mean voice biometrics

PSD2 has got people excited about new kinds of payments arenas. Paying inside a messaging app is one. Paying with Alexa et al is another. The panelists agreed this could happen. But neither trusts voice authentication. “I don’t think it’s the answer,” said Bud. “It’s very easy to spoof. There’s too little information in the data.”

Tim Green

Features Editor, MEF Minute


MEF Members – Download MEF’s PSD2 Guidelines

Available for Free exclusively for MEF members, the PSD2 guidelines are designed to help you better understand the changes and to assist in developing a sound PSD2 compliance strategy, while recognising the many new opportunities they will create.

Originally published in late 2015, the guidelines have been fully updated by MEF member Preiskel & Co and supported by CLX Communications, founding member of the Future of Messaging Programme, and provide a fully comprehensive update on this key regulation and its impact on mobile ecosystem.

Download the Guidelines now