Offering payment solutions is high risk. Moving money always was and always will be. The development of card payments 55 years ago started with an embossed card and paper slips. It didn’t have great security, but it was fit-for-purpose. Over time, the card payment system has developed to allow consumers to make spontaneous payments for almost any value, anywhere in the world. The simple proposition was updated with new technology and better controls (for example Chip and PIN),remaining fit-for-purpose to meet changing consumer and to combat criminal behaviour.
However, the same principles have always applied. Payments must be convenient and easy to use but with strong protection to maintain trust. And the system must be actively monitored to maintain control. This is Visa Europe’s approach and it has kept fraud at record low levels of less than 5 eurocents for every €100 spent (0.044% year to June 2015). Nonetheless, whatever we do there will always be risk in payments. It’s the combined actions of all players – card issuers, merchant acquirers and merchants which allow risk to be effectively managed.
At Visa Europe we believe these new standards must be flexible enough to ensure that new ways to pay remain convenient and secure for consumers in an evolving digital world. And that risk management remains fit-for-purpose to meet changing threats. We need to avoid possible one-size-fits-all regulation because this could result in overly prescriptive requirements, which may restrict innovation in payments and drive payments to less secure environments. Ultimately, this would be detrimental to the growth of the Digital Market.
But this is not just Visa Europe’s concern. On 10 February, with event partner CEPS, we brought together leading policy makers and regulators, retailers, banks, payment service providers and security experts in a room packed to capacity to discuss how to achieve authentication standards for the overall benefit of European citizens, businesses and commerce. Here are three highlights from the day – the need for risk-based authentication, retailers should be able to authenticate and the need to consider the broader regulatory context.
PSD2 mandates the European Banking Authority to develop standards to deliver strong authentication for all electronic payments. This states that every electronic payment in Europe has to be verified with 2 out of 3 of the following: something you have (i.e. a card),something you know (i.e. a PIN or passcode) or something you are (i.e. a biometric). While there is support for the concept of strong authentication, there is a strong view that this type of authentication will not be required on every occasion. Sometimes, there are better ways to deliver the same results.
In a world of dynamic technology and evolving consumer behaviour, authentication can be better and more effectively performed by using smarter metrics. The solution is adaptive or risk-based authentication, that assesses which device is being used and where is it located and if the transaction fits with both the consumers’ and retailers’ normal behaviour. This also means that not all transactions should require strong authentication. If a transaction is low risk, then asking for strong authentication will make it harder for the consumer to pay, create more complexity for retailers and increase the time and cost for transactions to be completed.
Currently, regulation is focused on the card issuer as the authenticator, sometimes with an SMS or phone call. But a healthy payments chain should let all parties take risk decisions, notably merchants as well as issuers, so long as the consumer is protected. For example, you may have been a regular customer of an online retailer for many years, but only recently started to shop there using a new payment card. The card issuer would not know your history, so may wish to perform strong authentication. But the retailer could verify you instantly and easily. A high level of cart abandonment is the price for getting it wrong. And allowing all parties to manage risk also provides a better, more equal and accountable way to spread liability.
A final point was made on the need for good regulation. Prescriptive standards in a fast moving world simply cannot keep pace with changing technology, consumer and criminal behaviour. And there is broader on-going digital change in the form of data protection and cyber security regulation. Flexibility must be at the heart of the overall regulatory approach if Europe is to remain attractive to financial services and fintech investment.
This legislative change is ground breaking. It is not simple and it is not easy, there will always be fraud around the movement of money. As such, there is always a risk decision and a line has to be drawn somewhere. If managed flexibly, these new requirements for consumer authentication have the capability to change the approach to risk in Europe, removing cost, simplifying acceptance and improving trade. But if we do not get this right, they could drive payments to less secure environments, restrict innovation in online payments and push digital commerce out of Europe. Visa Europe remains committed to constructive engagement with all parties to ensure convenient, secure and fit-for-purpose electronic payments across Europe for the benefit of consumers.