Europe's PSD2 delay puts more pressure on 3-D Secure 2.0

Banks, for the most part, have not advanced their core digital technologies as quickly as payments networks and disruptors ahead of the original PSD2 deadline. And the European Banking Authority has also cited the payments networks for not advancing the 3D Secure 2.0 online authentication model far enough to comply with PSD2 provisions.

3D Secure 2.0 is a compliance tool that card brand-operated EMVCo had pushed, until being told it needed a biometric layer and had to deliver authentication faster to meet the Strong Customer Authentication provision standard of PSD2.

These complications arrive in the wake of the General Data Protection Regulation, which took hold more than a year ago throughout Europe. Even though GDPR has not created the complexities that PSD2 has had in advancing payment technologies at banks, the regulation — which moved control of data to the consumer — nonetheless remains a formidable task for businesses and banks alike.

Yuriko Nakao/Bloomberg

"From a technology point of view, to be compliant to GDPR was easier," said Michael Reitblat, CEO of security technology provider Forter. "Plus, everyone understood the penalties for not complying, knew what they had to do and were given plenty of lead time to do it."

The same can't be said for the SCA provision of PSD2, which has plenty of moving parts and had triggered plenty of confusion about what would qualify as a strong digital authentication method. PSD2's deadline was set to be Sept. 14, but the EBA and U.K.'s Financial Conduct Authority said it would not enforce compliance for 18 months.

"The 18-month delay is for every aspect of PSD2, but the focus is really on the SCA because if that is not right, everything else is not functioning properly," Reitblat said.

It is especially complex now, in that far too many banks are not ready to authorize digital transactions carrying upgraded security methods, and 3D Secure 2.0 essentially has to go back to the drawing board to adjust to SCA.

"I believe the European Banking Authority was disappointed that the legacy payments ecosystem wasn't able to come up with something better than 'something you know' and 'something you have' by the deadline," said Steve Mott, principal of BetterBuyDesign, a Stamford, Conn.-based consulting firm, referring to reliance on passwords and use of a second-factor device. "Since that combination is widely repudiated, 3DS2 doesn't make it to prime time."

Adding in "something you are" through biometrics is where most fraud prevention tools are heading, and the card brands have 18 months to update their authentication tool.

"But it might not be so obvious, as the current design of 3DS2 anticipates 'in-line' data transfers rather than communications with biometric databases outside of the network," Mott said.

Plus, the card networks will have to grapple with the EBA's belief that the authentication process of 3DS2 at about 10 seconds is too slow, and the addition of biometrics would possibly add to that time element.

"If it is slower, the world will need a solution, and providers, that are more robust than the legacy networks offer," Mott added. "It should be interesting to watch what the networks do now."

And if the payments networks do resolve that problem, there is still the issue of how the banks' networks will be able to handle modern authentication technology.

"A lot of the changes taking place in the payments industry were not actually happening on the core banking side," Forter's Reitblat said. "Those systems still run on the same rails as 30 years ago and now, all of a sudden, the first step in this regulation process calls for them to digitally authenticate a transaction, which is something they were never required to do and maybe is not so easy on an older IBM mainframe."

As the banks scramble to adapt their current payment processing platforms to modern technology, including cloud networks and API connections, they are finding it much more difficult than to simply create a new mobile banking app to authenticate customers, Reitbalt added.

On the other side of the matter, merchants don't want to adopt any system that could cause friction on their end. They know all too well that delays in authorization or issuing of false positives result in lost sales. That was the downfall of the first version of 3D Secure.

"We are ready on our end to help banks prepare for this, with collaboration from our merchant network," Reitblat said. "We can't do the banks' jobs for them, but we can help through collaboration, which is what this will take."

Forter has earned financial backing and increased interest from merchants because of its Merchant Retail Network in which merchants get the benefit of Forter having shared data from retail clients and protecting all of them from attacks that may have initially targeted only one or two retailers. That shared data helps in terms of what banks are ultimately sent for authorization, but they have to be to handle the digital technology.

The harsh reality will set in fairly quickly for those who look at the 18-month leeway as a reason to procrastinate.

"The fraudsters don't care about an 18-month delay, and they aren't going to say they will take that time off and come back later," Reitblat said. "They are going to get more and more sophisticated during that time, and those banks and businesses that wait will only have more severe fraud challenges."