PSD2: Lack of clarity from regulators hindering Strong Customer Authentication


PSD2: Lack of clarity from regulators hindering Strong Customer Authentication

As the second Payment Services Directive continues its roll out, regulations making it obligatory for organisations to implement strong customer authentication (SCA) in online payments will come into force on September 19th this year.

Despite being less than a month away, regulators have still not made clear what the most effective way to implement SCA is, in a way that does not compromise on customer convenience.

What is SCA?

In short, SCA means adding additional authentication factors to online payments, in order to better protect customer data and reduce the risk of fraud. In theory, a great initiative, but the key challenge for customer-facing businesses here is how to achieve this without damaging the seamless experience that customers have become used to, such as one-click ordering.

Because of the lack of clarity from regulators on how best to proceed, the only viable solutions at present are SMS or mobile app-based authentication and there are two big hurdles to overcome here: find ways to better secure these channels, and redouble efforts to come up with new solutions to maintain a positive customer experience.

Better data security and customer experiences

SCA is clearly crucial if we want to be serious about data security. Unfortunately, the current focus on SMS and app-based push notifications doesn’t quite hit the mark as we would like it to. SMS is vulnerable to compromise, with hackers being able to employ techniques such as unauthorised SIM swap to gain access to personal data. Mobile app penetration, meanwhile, still has some way to go before we can assume that everyone is using it.

The last thing that companies want to do is sacrifice certain elements of the customer experience in order to bring SCA to the fore, so action needs to be taken by all involved to come up with improved, more effective means of authentication.

Effectively actioning SCA

To remedy the situation, input from regulators needs to be clearer and more decisive, and that a more productive, collaborative relationship should be fostered between bodies like the Financial Conduct Authority (FCA) and customer-focused businesses. At the same time, businesses themselves need to prioritise the implementation of cybersecurity practices and software that can nullify the vulnerabilities of authentication methods such as SMS.

PSD2 is a critical directive for any company handling online payments, so it’s vital that meeting its requirements is as straightforward as possible for everyone involved. This means both regulators and businesses working together to break out of the inertia that has permeated the approach to SCA adoption so far. With solid commitment and a clarity of vision from both sides, this is very much achievable.

At the same time, businesses need to seriously consider implementing comprehensive fraud detection software that is adapted to the methods that are – and will in the future – be used for bringing SCA to online transactions. These technologies should be able to detect flaws, vulnerabilities and threats across a range of channels, enabling organisations to react accordingly. Crucially, they should also be able to operate in a fully transparent manner, in a way that minimises impact on the customer experience.

Discover more about how you can reduce fraud while building trust with customers through Aspect Verify.