Even though security vendors and payments providers are telling merchants they are ready to provide compliance for transaction authorization in time for Europe's Payments Service Directive update (PSD2) deadline on Sept. 14, a significant challenge remains in the learning curve and technology needs for merchants.
The U.K.'s Financial Conduct Authority admitted as much in granting a migration period of 18 months without noncompliance fines for the Strong Customer Authentication provision of PSD2.
The grace period is based, in part, on the
The SCA migration period gives security providers and merchants time to establish where 3D Secure 2.0 will fit alongside other security measures.
It has caused providers touting 3D Secure 2.0 as a key authorization tool for the directive's SCA provision to also educate merchants that the migration period provides time to make sure 3DS, when combined with other security layers, carries all of the authorization tools SCA calls for with electronic payments.
The migration period essentially says the U.K. regulators won't be penalizing those not in total compliance with the SCA provision for more than a year after the official Sept. 14 deadline.
"The reason for the migration period is that the merchant community is far from ready to make the transition," said Ron van Wezel, a senior analyst with Aite Group based in the Netherlands. "The U.K. regulator has agreed to the migration period, and other countries have also indicated to refrain from a 'big bang' scenario for SCA, with a few exceptions such as Finland, which is already used to SCA standards."
3D Secure 2.0 is the solution the payments networks push for complying with SCA, but it has not been implemented by many as of yet, Van Wezel said. "That's why the delay is very important to avoid a disaster in customer experience when SCA is introduced."
The SCA essentially requires multifactor authentication for online payments, the initiation of an electronic payment transaction or any payment action taken through remote channels that represent fraud risks.
From that standpoint, SCA is not requiring methods the payments industry has not addressed in the past, or has tried to ingrain in the networks with regularity. It seeks authentication based on two or more elements that include something the user knows (passwords, security questions), something only the user possesses (mobile device, email address, etc.), and something the user is (biometrics).
But e-commerce merchants will need to update the payment networks that originate from their websites and apps in order to support the SCA required authentication methods.
As such, vendors are notifying clients about progress they have made to help ease PSD2 compliance.
"The discussion about strengthening layers of defense for transactions is never-ending," said Vincent Roland, CEO of Worldline. "You have to create more complexities to reduce the temptation for fraud and, while that is nothing new, it is new that we are trying to get all merchants on board with 3D Secure 2.0 for stronger authentication."
Because 3D Secure 2.0 covers the SCA provision of having at least two authentication methods, many merchants should find it will satisfy their PSD2 compliance needs. But it doesn't mean merchants won't want other security measures, Roland said.
"With the mobile phone becoming an easy tool for transactions, you have to move to other technologies and there are many things you can do for authentication," Roland added. "The number of tools for mobile is quite large, as you can go to biometrics with your smartphone, or create digital identities in some countries that operate like your bank card."
The Sept. 14 deadline is important for issuers, acquirers and service providers, as they have to be compliant with what they are offering clients.
"If you are servicing a lot of countries, you have to understand what each local market needs," Roland said. "In that regard, 3D Secure is a global tool, one that is in our company's roots. We feel good about going live with it in PSD2, but that doesn't mean that on day one everyone will be ready."
With the
Companies like BioCatch, BehavioSec, ID Analytics and
"3D Secure 2.0 really has very little to say about biometrics in general and has no specific provision for gathering or analyzing behavioral biometric data," said Jordan Blake, vice president at BehavioSec.
"Having said that, there is room within the defined protocol and issuer-merchant-provider ecosystem to incorporate a wide range of biometric signals that would bolster authentication reliability," Blake said.
The "inherence" guideline of SCA includes behavioral biometrics in identifying a user by the way they type and swipe, and the angle at which they hold a device, among other things.
"In our view, behavioral biometrics is an important means of delivering inherence, not only because it can meet the EBA's guidelines, but because it can do so without adding friction to the user experience," Blake added.
Payment processor and technology provider Total System Services (TSYS) revealed this week it had developed a real-time authentication platform with various partners to deploy in Europe to comply with PSD2.
It's another example of authentication and fraud prevention utilizing machine learning to help card issuers make cross-border payments more secure.
Atlanta-based
2Checkout says it will "correctly apply exemptions" in areas in which PSD2 regulations won't always have to come into play, such as some recurring payments, low-value and low-risk transactions, as well as those between trusted beneficiaries.
As was the case with most regulatory deadlines — from the EMV migration liability shift in the U.S., to the
"It is a lot of work," Worldline's Roland said. "Technically speaking, you have to adopt, deploy and make authentication choices. The more global you are, the more complex it is."
