qed conference on customer authentication and common ...€¦ · qualitative security requirements....

MEMORANDUM

QED Conference onCustomer authentication and common& secure communication under PSD2

Mr Basquill reminded delegates that

PSD2 comes into effect across the EU inJanuary 2018, but has already been

transformative for swathes of the industry

from the largest global banks to FinTechstart-ups. He said that one of the most

eye-catching changes is that two types ofthird-party provider – for payment

initiation services and account

information services – will be permittedto gain access to consumers’ bank

accounts. Moreover, banks are actuallyobliged to allow those service providers

access. Mr Basquill commented that the

final text of PSD2 left a few loose ends,such as how payments can be

authorised securely, and how the thirdparty access model works in practice. To

resolve some of these points, the EBA

published its draft Regulatory TechnicalStandards (RTS) for consultation. “The

draft RTS itself caused a few ripples in

the industry,” he commented, “which welook forward to discussing at this

conference.”

Dr Haubrich introduced the EBA, itsscope of action and output to date, which

since its creation in 2011 includes the

issuance of over 200 legal instrumentsand 100 reports. He said that PSD2

conferred on the EBA the developmentof 11 mandates, and he briefly explained

each one. He focused on the mandate

on strong customer authentications(SCA) and common & secure

communication (CSC) under Article 98 ofthe PSD2. For this mandate, the RTS is

to be submitted to the European

Commission in January 2017, and will bescrutinized by the Commission as well as

John BasquillEditor, Payments Compliance (moderator)

2Memorandum – Customer authentication and common & secure communication under PSD2 |

Dr Dirk HaubrichHead of Consumer Protection, Financial Innovation & Payments, European Banking Authority

the European Council and Parliament

over a period of at least three months.Once the Commission adopts and

publishes this particular RTS, it will be

applied 18 months later, so no earlierthan October 2018. Dr Haubrich talked

about the challenges facing the EBA indeveloping the RTS on SCA and CSC.

These include delivering the mandate by

the deadline of January 2017 whilegetting early input; developing security

requirements that are not only anenhancement for existing payment

services, but also facilitate the orderly

functioning of the new services that areintroduced through PSD2 and mitigate

the specific risks associated with them;finding appropriate trade‐offs between

various competing demands which he

described in detail; and developing theRTS within the confines of the provisions

and definitions in PSD2. Dr Haubrichthen talked through each chapter of the

consultation paper, starting with the SCA

procedure (1); exemptions to SCA (2);protecting user credentials (3); and

standards of communication (4). In allareas he expressed great interest in

hearing the industry’s views on the

proposals (the consultation period ends12 October 2016). He also stated that

the publication will include a ‘feedback

table’ that lists all the comments the EBAhas received, and will explain whether or

not amendments have been made, andwhy.


Mr Olbrich stated that the EBA’s positionon authentication for electronic and

mobile commerce transactions, if

implemented as described, will disruptthe payments industry across all 31 EEA

Member States. “Any single form ofmulti-factor authentication of payments

beyond a risk-based approach by a bank

or payments provider is not the rightanswer,” he said. As an illustration, in

2015 PayPal implemented 3DS cardauthentication for the first time, and

experienced directly the highly disruptive

effects on the European digital market.After testing this with several million

consumers across all 31 EEA MemberStates, average failure rates of 40%

were recorded, with a peak of 51% in

Germany alone. PayPal was obliged to

quickly adjust its 3DS approach in viewof this massive push-back of its user

base. Mr Olbrich said that this

demonstrates that any security policysetting blanket restrictive criteria,

regardless of any risk-based approach,are doomed to fail. He said that the EBA

should set quantitative minimum levels of

fraud: payment providers failing to meetthese benchmarks can then be

mandated to comply with more rigidqualitative security requirements. He also

asked that various exemptions for strong

customer authentication like transactionsunder 10 euros or for the same amount

in the same location, be reviewed in amore pragmatic way. In closing, Mr

Olbrich suggested that “an overly

prescriptive, security managementsolution across Europe simply opens up

the door for massive infiltration by globalfraudsters who are daily evolving their

capabilities. Therefore it is critical that

the EBA develops a risk-basedauthentication measure to allow payment

service providers to effectively and on anongoing basis, address these

challenges.”

4

Luke OlbrichHead of EMEA Core Payments, PayPal Europe

Memorandum –Customer authentication and common & secure communication under PSD2 |

In Mr Schardt’s view, security is key, and

should the draft RTS be adopted asproposed in the consultation paper, it will

sooner or later shut payment initiation

services (PIS) – considered the mostsecure payment method, accounting for

60 million transactions per year inEurope – out of the European payments

market. He said that Article 19 of the

draft describes a dedicatedcommunication interface which would be

mandatory for PIS to use to access thecustomer bank account. Banks would be

given the opportunity to foreclose PIS

direct access via the existing consumeror online banking platform, even though

PIS is a safe and proven solution fornearly 15 years. This is in stark contrast

to what the PSD2 text provides; it

guarantees PIS the direct access via theweb interface of a customer interface or

PSD2 text provides;it guarantees PIS the

direct access via the web interface of acustomer interface or online banking

platform and rejects a particular business

model for the provision of paymentinitiation services. He described it as a

political compromise that does notcorrespond to market reality. In closing,

Mr Schardt urged EBA to respect the

political will of PSD2 and provide a trulylevel playing field without making a

banking independent service dependenton a bank’s goodwill.

5 | Memorandum – Customer authentication and common & secure communication under PSD2

Georg SchardtManaging Director, Sofort

Mr Martin pointed out page 47 of theRTS – Options Considered – and in

particular the fourth one (Scope of

Exemptions), which he says is resolvedwith a very prescriptive approach which

was a big surprise to MasterCard. MrMartin outlined five points of concern on

this issue. First, independence of devices

which will not work in today’senvironment nor in the future of the

Internet of Things. Here, clarity on whatsegregation means in practice is needed.

Second, biometric authentication which

provides a good consumer experiencebut the draft leaves some questions

open. Third, emerging payments such aswallets and virtual cards and their

authentication for every transaction,

which is considered too strict. Fourth, the

exemptions for contactless and remote

transactions, which should be reviseddue to gaps, for example tollways. Fifth,

demanding customer authentication for

every single transaction is in conflict withEBA’s own guidelines, will lead to

increased friction and abandonment oftransactions, and could slow down the

development of e-commerce in Europe,

and compromises the objectives of theEuropean Commission to promote a

digital single market. On the topic ofcard abandonment, Mr Martin said that

card issuers should retain their ultimate

right to approve or decline a transactionif SCA was not offered (by a non-EEA

merchant) – notwithstanding the fact thatissuers must be prepared for SCA.

One point – when talking about “car

abandonment” may be missing. Thepoint was that issuers should retain their

ultimate right to approve or decline atransaction if SCA was not offered (by a

non-EEA merchant) – notwithstanding

the fact that issuers must be prepared forSCA. Dr Haubrich acknowledged this

concern as important and said it wassomething that the EBA would need to

raise to the EC, who should in turn

decide.


Esteban MartinVP Industry Engagement, European Market Development, MasterCard

“95% of transactions are authenticated in

the background by risk profiling, using100 variables,” remarked Ms Webb. “The

issue we have with the RTS as currently

drafted is that it might stifle innovation,and stifle the motivation to actually

continue with this risk profiling anderadicate fraud.” She explained that in

many cases, two-factor authentication is

simply not necessary, and breaks themodel of a positive consumer experience

that banks are driving towards.Furthermore, in her opinion, it will not

reduce fraud levels. Ms Webb also has

issues with the exemptions and wherethey are applied. Currently, merchants

have the ability to over-ride the secondfactor of authentication and apply a one-

click solution or an invisible payment

solution; the latter is becoming

increasingly used. Applying two-factor

authentication as described may stiflethat, and again lower the experience for

consumers. She called for creativity to

tackle this problem, rather than rigiditywhich hampers innovation.

According to Mr Fletcher, Deutsche Bankregards PSD2 as landscape changing,

and is looking forward to it providinggreater opportunities to work with

FinTechs. However, he sees two-factor

authentication as restrictive, and wouldprefer to see risk-based principles being

applied. He is particularly concerned thatthe types of authentications presented in

the RTS are not suitable for large

corporate payments, which must not be


Sarah WebbManaging Director, BarclayCard

Angus FletcherDirector, Global Head of Market Advocacy GTB Product Management, Deutsche Bank

held up in any way. He also questions

the role of PIS providers in the corporatespace. Mr Fletcher also addressed the

roles of PIS providers and account

information service providers, and saidthat it’s critical for a bank to trust them if

they are going to access the bankaccounts of customers. To do that, any

centralised database of authorised

providers must be accessible to banks inreal time. Finally, he stated that there

should be a standardised API approachacross Europe.

A delegate (an account information

services provider) in the audience

believes that a solution should includethe API but should not exclude the AIS

provider from using the direct onlinebanking site to request information

belonging to a user. Mr Olbrich said that

PayPal already uses a number ofproviders around Europe to offer instant

top-ups to accounts; effectively throughonline banking. His concern is that

access to accounts would increase

without there being sufficient insurancesor standards in place. Mr Schardt said

that he is fine with using a proper API if itwould be in place, as long as it would not

be mandatory, and that if it didn’t work

properly, there must be the possibility toswitch back. Dr Haubrich pointed out that

the PSD2 already says that if theinterface that is provided by the bank is

not available, , then reverting back to the

old way is perfectly possible. Mr Fletchersaid that it’s in the interests of Deutsche

Bank to have an open API, and this issuehas huge ramifications on its processes

and systems.


Open discussion

“It’s not a case of trying to protect whatwe have, it’s about ensuring the safety

and security of the bank accounts of our

customers, which involves workingclosely together with new payment

service providers.”A delegate pointed out that a bank will

have to open up their infrastructure to

TPPs, but wanted to know if that appliedfrom January or October 2018. Dr

Haubrich said that PSD2 applies fromJanuary 2018 when accounts will be

“open, for lack of a better word” and that

it is explicitly stated that banks are not ina position to block transactions or block

access by TPPs from that date onwards,and that the PSD2 provides for the

security requirements to come in at a

later stage, namely October 2018 at the

earliest. Mr Basquill brought up the topicof fraud, and commented that although

fraud has increased in absolute terms

over the recent years, it has decreasedproportionately considering the growth of

e-commerce. Ms Webb said thateveryone is motivated to deal with fraud

and to reduce the level of fraud even

further. She thinks that the application offurther authentication steps on top of risk

profiling will have a direct impact on e-commerce. Mr Olbrich pointed out the

rapid evolution of fraudster technology:

“in six months’ time, anything that isdefined from a qualitative point of view

will be out of date.” This is why PayPalisn’t going to rely on a single solution but

will put in their own risk-based

authentication. To a question on the use


of biometrics, Mr Martin said that

MasterCard is launching a new pilotprogram to help shoppers improve the

security of their transactions by taking

photos of themselves (Selfie Pay). In theRTS, he is concerned about the lack of

clarity on biometrics, especially as it’s abig area for mainstream innovation. Dr

Haubrich acknowledged the importance

of the point raised earlier by Mr Martin oncard abandonment (that card issuers

should retain their ultimate right toapprove or decline a transaction

if SCA was not offered), and said it was

something that the EBA would need toraise to the EC, who should in turn

decide.

A final question from the floor was

whether the EBA would enable the RTSto be reviewed in regard to the impact of

the rules on the market. Dr Haubrich said

that the PSD2 provides that the RTSshould be reviewed on a very regular

basis to take into consideration fastmoving technology.


Sponsored by:

Media Partner:

qed conference on customer authentication and common ...€¦ · qualitative security requirements....

Documents