Traditional browser-based online banking will eventually lose market share to mobile devices with the ability to perform real-time transactions. While cash is currently the most direct way of paying for products and services, it could soon be a thing of the past. Michael Lynch, Chief Strategy Officer at InAuth, writes
The terms PSD2, EBA, 2FA, and Article 97 might appear at first glance to be typical regulatory jargon, but make no mistake; they have huge implications in the world of digital payments. What do they all mean?
The European Banking Authority (EBA) is poised to issue a new round of regulations and requirements in their annual Payment Services Directive (PSD2). This edict regulates payment services and payment service providers throughout the European Union. In short, it is a big deal. As written, PSD2 extends and accelerates many of the existing trends in European banking and online retail. This includes regulations encouraging non-traditional parties to participate in payments and accelerates competition within the banking com-munity through multi-banking.
In this new PSD2 system, users will interface with banks through portals that consolidate all of their banking accounts, thereby forcing the banks into commodity-style competition. These trends are good news for consumers but have got security professionals on edge. The pros know a network is only as secure as its weakest link and the introduction of third party portals could potentially compromise it for everyone. With this in mind, Article 97 of PSD2, due out in a few months, is expected to require strong two-factor authentication (2FA) on all online transactions.
The importance of strong 2FA
2FA is a method of confirming a user’s claimed identity by using a combination of two different components. These com-ponents may be something the user knows, possesses, or an attribute that is inseparable from the user’s identity. Using a combination of two components from this list forms the backbone behind strong security. A good example of 2FA in everyday life is withdrawing of money from an ATM. Only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.
However, this form of 2FA constitutes relatively weak security and is ineffective against modern threats like phishing and malware. In an effort to stay ahead of fraudsters, modern security standards follow more stringent requirements that rely less on tem-porary identifiers and knowledge that can be guessed. Instead they use more permanent attributes associated with users that cannot be easily changed, altered, or guessed.
The highest form of 2FA security includes the use of biometrics such as finger print or eye scans to ensure the 100% authentication of users. However, since this technology is not yet widely commercially available, 2FA is expected to be made up of the next best thing – a combination of inalterable attributes asso-ciated with the users’ electronic device.
This change represents a major opportuni-ty for mobile technology because the unique identifiers associated with a mobile device can be combined to form security that is stronger than a browser on a PC. Fraudsters just can’t fake it. This unique identifier can then operate as a secure token, authenticating the user’s true identity, adding a layer of security that protects the organisation—as well as their respective customers—during any customer transactions on the device.
Strong security enables frictionless
Financial institutions and online retailers have a conflicted relationship with these pre-dicted changes in security regulations. On the one hand, they realise PSD2 is a good mechanism for reducing fraud. On the other, they expect the new regulations and height-ened security will negatively affect their abil-ity to create a frictionless experience for their customers. Based on past experience, this fear of slow-ing down transactions is understandable.
To many organisations, tighter security means more forms for customers to fill out, more challenge questions, and more passwords for them to remember. Financial institutions and retailers know their customers don’t want these barriers; they just want their transac-tion processed. Slowing the process down unnecessarily is an irritation for customers that puts the entire transaction in jeopardy. In this new paradigm of using permanent device IDs, security enhances the customer experience rather than deterring it.
What makes this possible is that the mobile device itself can serve as a unique identifier. When handled in this fashion, we can look at cybersecurity as a transaction enabler that enhances customer service, rather than as an existing as a barrier. The two no longer have to be mutually exclusive. In the future, cyber-security will aid and assist in the comfort of the user by remaining in the background, quietly greasing the wheels of the transaction.
Positioning for the cashless economy
Organisations that comply by using mobile as a secure 2FA token will be far better posi-tioned for the cashless economy. The chal-lenge will be dealing with the elimination of the lag time that has traditionally been in place for suspicious transactions. Electronic payments have typically required a manual review of potentially fraudulent transactions. That will no longer be the case.
Clearly, a move to faster payments is something everyone – consumers, business-es, financial institutions, and governments – wants to happen. While cash has always been the most immediate form of payment, it is an expensive instrument. The US spends $200bn to keep its cash system working and, according to the European Central Bank, the total cost of cash in the European Union is 1% or more of GDP.
Stronger authentication models put in place now are key to enabling faster pay-ments, eliminating the processing lag and executing the transaction in real-time. Many of the anti-fraud tools and processes used by banks are either performed manually, or are geared around having a built-in time delay. These slower payments processes give insti-tutions more time to detect and prevent pos-sible fraud.
Customers won’t be satisfied with delays. Strong device authentication and risk assess-ment is necessary. Many experts, including the consulting firm Deloitte, are predicting that cash, while still the fastest way to pay for something, could become a thing of the past, with real time payments as its successor.