The Move to The Cashless Economy Assisted by Article 97 of PSD2
by Michael Lynch, Chief Strategy Officer, InAuth
When the European Banking Authority (EBA) speaks, financial institutions listen. And organisations throughout the EU are listening intently right now as the EBA is poised to release a new round of regulations in their annual Payment Services Directive (PSD2).
This latest round of regulation is expected to be a boon for consumers by encouraging non-traditional parties to participate in electronic payments and accelerating competition within the banking community through multi-banking. It is expected to increase convenience for consumers, while simultaneously lowering transaction costs for financial institutions.
PSD2 also represents a step towards making the ‘cashless economy’ a reality. At its core, cash is an expensive instrument for running an economy. Paper and other ‘real’ forms of currency incur significant printing, storage, and other circulation logistics costs. According to the European Central Bank, the total cost of cash in the European Union is 1% or more of GDP.
While cash is currently the fastest way to pay for something, many experts are predicting it will eventually give way to real-time payments. This edict will no doubt have significant implications for treasury management functions at financial institutions worldwide.
It all hinges on security
There is, however, one big hurdle to this new cashless model—ensuring security in a mobile-first environment. Online transactions operate like cash transactions because once the transaction executes, the money transfers and reversal become problematic or even impossible. Furthermore, in the PSD2 model, the liability sits with the bank. Many of the anti-fraud tools and processes currently used by banks to prevent theft are performed manually or otherwise require a time delay to function. In the cashless economy, this would no longer be an option.
Without the assistance of technological improvement, moving to a faster payment structure jeopardises the maintenance of a high level of security. Fortunately, the EBA recognises this issue and, for this reason, mandates strong security protocols for all financial institutions very clearly in Article 97 of PSD2. The December 2015 EBA discussion paper on the subject outlines the expected regulation:
“Article 97(2) provides that, with regard to the initiation of electronic remote payment transactions, payment service providers shall apply strong customer authentication, which includes elements that dynamically link the transaction to a specific amount and a specific payee.”
The key phrase to understand in the statement above is ‘strong customer authentication’. This is typically accomplished through the use of two-factor authentication (2FA).
The importance of strong 2FA
Two-factor authentication (2FA) confirms a user's claimed identity by using a combination of two different components. These components may be something the user knows, possesses, or an attribute that is inseparable from the user’s identity. Using a combination of two such components creates strong security.
In the past, this was typically done with step up-security questions, but this is an ineffective method in an online environment. It simply doesn’t scale. Security questions put a barrier in the path of the customer and are relatively easy for fraudsters to circumvent.
Modern security standards require more permanent attributes associated with users that cannot be easily changed, altered, or guessed. PSD2’s Article 97 is expected to conform to this more restricted model to ensure the tightest security is being practised at all financial institutions and retailers in the European Union.
The goal is to make the transaction ‘frictionless’ by embedding these permanent identifying attributes into the process itself and making the authentication invisible to the user. While the highest form of 2FA security would use biometrics, this technology is not widely commercially available. Currently, 2FA is the next best thing—a combination of inalterable attributes associated with the users’ electronic device.
The unique identifiers within a mobile device can be combined to form security that is stronger than a browser on a PC. Mobile devices have many unique attributes such as the device’s location, manufacturer, operating system, and model number, which can be combined to create a permanent device ID to ensure a 100% positive ID for device recognition.
This unique identifier acts as a secure token, authenticating the user’s true identity during any transactions on the device. This is key to enabling faster payments in the future, providing an immediate review of a user’s device so faster payments can be enabled for trusted users.
While new security regulations are rarely greeted with a warm reception, Article 97 of PSD2 marks an opportunity for financial institutions to improve the customer experience, while also doubling security. Done right, using permanent device IDs actually enhances the customer experience. In the coming ‘cashless economy’, this is vital in protecting customers and financial institutions from fraudsters.