How strong should customer authentication be?

By Peter Bayley, Executive Director, Ecosystem Risk • Visa

February 16, 2016

Offering payment solutions is high risk. Moving money always was and always will be. The development of card payments 55 years ago started with an embossed card and paper slips. It didn’t have great security, but it was fit-for-purpose. Over time, the card payment system has developed to allow consumers to make spontaneous payments for almost any value, anywhere in the world. The simple proposition was updated with new technology and better controls (for example Chip and PIN),remaining fit-for-purpose to meet changing consumer and to combat criminal behaviour.

However, the same principles have always applied. Payments must be convenient and easy to use but with strong protection to maintain trust. And the system must be actively monitored to maintain control. This is Visa Europe’s approach and it has kept fraud at record low levels of less than 5 eurocents for every €100 spent (0.044% year to June 2015). Nonetheless, whatever we do there will always be risk in payments. It’s the combined actions of all players – card issuers, merchant acquirers and merchants which allow risk to be effectively managed.

At Visa Europe we believe these new standards must be flexible enough to ensure that new ways to pay remain convenient and secure for consumers in an evolving digital world. And that risk management remains fit-for-purpose to meet changing threats. We need to avoid possible one-size-fits-all regulation because this could result in overly prescriptive requirements, which may restrict innovation in payments and drive payments to less secure environments. Ultimately, this would be detrimental to the growth of the Digital Market.

But this is not just Visa Europe’s concern. On 10 February, with event partner CEPS, we brought together leading policy makers and regulators, retailers, banks, payment service providers and security experts in a room packed to capacity to discuss how to achieve authentication standards for the overall benefit of European citizens, businesses and commerce. Here are three highlights from the day – the need for risk-based authentication, retailers should be able to authenticate and the need to consider the broader regulatory context.

PSD2 mandates the European Banking Authority to develop standards to deliver strong authentication for all electronic payments. This states that every electronic payment in Europe has to be verified with 2 out of 3 of the following: something you have (i.e. a card),something you know (i.e. a PIN or passcode) or something you are (i.e. a biometric). While there is support for the concept of strong authentication, there is a strong view that this type of authentication will not be required on every occasion. Sometimes, there are better ways to deliver the same results.

In a world of dynamic technology and evolving consumer behaviour, authentication can be better and more effectively performed by using smarter metrics. The solution is adaptive or risk-based authentication, that assesses which device is being used and where is it located and if the transaction fits with both the consumers’ and retailers’ normal behaviour. This also means that not all transactions should require strong authentication. If a transaction is low risk, then asking for strong authentication will make it harder for the consumer to pay, create more complexity for retailers and increase the time and cost for transactions to be completed.

Currently, regulation is focused on the card issuer as the authenticator, sometimes with an SMS or phone call. But a healthy payments chain should let all parties take risk decisions, notably merchants as well as issuers, so long as the consumer is protected. For example, you may have been a regular customer of an online retailer for many years, but only recently started to shop there using a new payment card. The card issuer would not know your history, so may wish to perform strong authentication. But the retailer could verify you instantly and easily. A high level of cart abandonment is the price for getting it wrong. And allowing all parties to manage risk also provides a better, more equal and accountable way to spread liability.

A final point was made on the need for good regulation. Prescriptive standards in a fast moving world simply cannot keep pace with changing technology, consumer and criminal behaviour. And there is broader on-going digital change in the form of data protection and cyber security regulation. Flexibility must be at the heart of the overall regulatory approach if Europe is to remain attractive to financial services and fintech investment.

This legislative change is ground breaking. It is not simple and it is not easy, there will always be fraud around the movement of money. As such, there is always a risk decision and a line has to be drawn somewhere. If managed flexibly, these new requirements for consumer authentication have the capability to change the approach to risk in Europe, removing cost, simplifying acceptance and improving trade. But if we do not get this right, they could drive payments to less secure environments, restrict innovation in online payments and push digital commerce out of Europe. Visa Europe remains committed to constructive engagement with all parties to ensure convenient, secure and fit-for-purpose electronic payments across Europe for the benefit of consumers.

Share this post

Like this post

Related Articles

Money2020: Visa Europe Collab talks wearables and authentication

May 06, 2016

We were excited to be part of the Money2020 conference place earlier this year. Collab Innovation Partner Mike Philpotts took part in a panel talking about the evolution of wearables and authentication systems and shared some highlights with industry news site Finextra, as well as talking about some of Visa Europe Collab’s work exploring the space.

Mike Philpotts Read More

Working together for friction-free shopping

November 05, 2015

There is one dilemma that online retailers the world over share in common: the constant battle between convenience and security.

Peter Bayley Read More

Securing the future

August 03, 2016

Historically, payments existed in a tightly controlled ecosystem – issuers were often also acquirers, the production of the plastic and the devices were managed through a strictly monitored programme. Looking back, it feels like it was a relatively contained environment.

That environment will not exist in the new economy – instead, we will have huge numbers of players with contributory roles, all interacting with each other.

Jonathan Vaux Read More

Now’s the time for commercial card adoption in Italy

May 23, 2016

Italy ranks fourth in Europe for Visa commercial programmes and the country’s growth in that commercial card market is consistently robust. However, the full benefits of a commercial card programme are currently largely unappreciated. Today, the timing is favourable for issuers to review their engagement in this market.

Davide Steffanini Read More

Profit optimisation; good for banks and consumers

April 12, 2016

A 2016 study Visa Consulting undertook into one of our client’s UK debit card programmes found unrealised revenues of a staggering £11million per annum. This discovery was not an isolated example.

Andrew Cherry Read More

Tokenisation – in the cloud and around the world

May 18, 2016

With the launch of Android Pay in the UK, Sandra Alzetta looks at the enabling payment technologies – the token service. And, its most recent innovation – device-based cloud.

Sandra Alzetta Read More