25 September 2017
Frictionless Fraud Prevention
Sadra Boutorabi

Frictionless Fraud Prevention

Sadra Boutorabi - GPayments

2Posts 17,700Views 4Comments
Online Banking

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

3D Secure 2.0 and PSD2, live together in perfect harmony

23 August 2017  |  10858 views  |  3

What is PSD2?

PSD2 is the second iteration of ‘Payment Services Directive’ (PSD), a European Union (EU) directive first introduced in 2007 to regulate payment services and payment service providers (PSPs).

PSD also allowed for better pan-European competition and participation in the payments industry while threatening to break-up the banking industry’s monopoly on facilitating secure online payments.

Primary Aims of the Payment Services Directive

·         Dictated the rules and guidelines for modern payment services in the EU

·         Simplified payment processing within the EU

·         Aimed to promote competition by opening payments up to new entrants

·         Improved payment efficiency, encourages innovation and reduces costs

·         Provided the legal platform for the ‘Single Euro Payments Area’ (SEPA)

 

Payment Services Directive

The EU’s Payment Services Directive was a way of protecting consumers, merchants, and issuers from crime while establishing an industry wide standard for the online processing of payments.

Although the concept of online payments is a global phenomenon, companies must still adhere to the national policy when it comes to regulation.

Governments the world over are of course eager to reap the benefits of participating in this global payment system, however, they still have an obligation to protect consumers, merchants, acquirers, and issuers from online fraud; hence the need for a set of universal (for the most part) directives.

In response to changes in online payment infrastructure, along with the numerous technological advances which have taken place in the last decade or so, the EU deemed it necessary to update the legislation back in 2016.

The updated directive requires that all participating states implement the new rules as national law by 13 January 2018 which is why the industry is becoming increasingly interested and potentially concerned about complying with PSD2.  

 

PSD2: What’s Changed?

PSD2 is a substantial overhaul of existing regulations for the payments industry.

It aims to increase competition within the payments industry, bring into scope new types of payment services, enhance customer protection and security, and extend the reach of the Payment Services Directive.

Naturally, merchants, issuers, and acquirers, along with some particularly security-conscious consumers, want to know what’s changed and what’s been added to the original Payment Directive Services legislation.

Let’s start with a list of the key changes as these will be the most pressing for those wishing to ensure they are in full compliance with the new PSD2 regulations.

PSD2: Key Changes

  • Creates an equal playing field for payment service providers, enabling new third-party companies to get into the payments space; these Third-Party Players (TPPs) are divided into two classifications:

    • Account Information Service Providers (AISPs)

    • Payment Initiation Service Providers (PISPs)

  • Extends scope of regulation beyond Europe partly by including what are referred to as ‘one leg out’ transactions

  • Promotes SCA (Strong Customer Authentication) by providing clarity on the use of emerging payment methods such as mobile payments, biometrics payments, 2FA (Two Factor Authentication), and OTPs (One Time Passwords)

  • Harmonises pricing and improves security of payment processing across the EU and beyond

  • Broadens the definition of the term ‘Payment Institution’

  • Prohibits card surcharges

  • Secures online payments and account access

 

Aside from these, PSD2 promises to standardise, integrate, and improve payment efficiency within the EU and beyond, thanks partially to ‘one leg out’ transactions which insist on PSD2 regulation being adhered to even when only one of the parties are in the EU.

In a more general sense, PSD2 offers far superior consumer protection by insisting upon a higher level of authentication; for example, PSD2 mandates 2FA which has and will continue to make it incredibly difficult for criminals to impersonate consumers online.

Two Factor Authentication requires customers to provide a unique One Time Password – usually a code or string of numbers and letters sent to their registered email address or mobile device – as well as their password.

Other methods of additional authentication include biometric authentication – usually a fingerprint authenticated by their mobile device – or an onscreen QR code which must be scanned, again by a mobile device via apps such as Google Authenticator.  

Finally, PDS2 promises to promote innovation in the payments space which will undoubtedly reduce costs for consumers and merchants alike.

PDS2 is fantastic news for the industry and, in my honest opinion, should be embraced with open arms.

3DS 2.0 & PSD2

Many are wondering how the introduction of PSD2 has and will continue to affect 3DS 2.0 (3D-Secure 2.0), the updated protocol which ensures safe and secure online transactions. First, let’s quickly recap 3DS 2.0.

3DS 2.0: Recap

3D-Secure 2.0 is the vastly improved and updated second iteration of 3D-Secure.

3D-Secure 2.0 aims to facilitate ‘frictionless shopping’ which incorporates the ease and speed of ‘old school’ transactions with the security of 3D-Secure by offering multi-factor authentication which, once set up, means transactions (even card-not-present transactions) are simple and straightforward for consumers.

Additionally, merchants have the peace of mind of knowing they are not at risk.

So, the consumer is happy because the authentication process is straightforward and the merchant is happy because, if there are any issues with security/payment, it’s the acquiring bank, not them, that’s liable.

3DS 2.0: Key Benefits

  • Merchants will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication; this will help combat the 3D-Secure issue of high cart abandonment rates.

  • Issuers can improve ‘frictionless authentication’ by way of richer data exchanges. Additionally, cardholders will be able to choose their preferred medium for making purchases – thanks to multi-factor authentication functionality – without compromising on security.

  • Consumers want a convenient and secure service when carrying out e-commerce payments; 3D-Secure 2.0, along with the corresponding MPI and ACS technology, will provide these benefits, adding efficiency with little to no impact on applications and payment gateways that customers are already familiar with.

3DS 2.0: How Does it Work?

3D Secure 2.0 is the future of online payment authentication; but how does it work? Let’s have a brief look at the technology behind the widely adopted protocol.

Please note: the basic three-pronged infrastructure remains largely unchanged since the original 3D Secure.

The protocol links the financial authorization process with the online authentication, usually via a popup window which prompts the user for a prearranged password tied to the card being used.

Other methods of authentication include the use of OTPs, i.e., verification codes which are sent, via text or email, to the user to provide an extra layer of security before a payment is processed.

This additional authentication is based on a three-domain model (hence the name).

The three domains are:

  • Acquirer Domain: the bank and the merchant to which the money is being paid

  • Issuer Domain: the bank which issued the card being used

  • Interoperability Domain: the infrastructure provided by the card scheme to support the 3D Secure protocol); this includes the Internet, MPI (Merchant Plug-in), ACS (Access Control Server) and other software providers

3DS 2.0: PSD2 Implications

So, we know that millions in Europe and around the globe are going to adopt the 3DS 2.0 protocol for its SCA (Strong Customer Authentication), its use of device information for risk based authentication, and its facilitation of ‘frictionless shopping’ for consumers, greatly reducing cart abandonment rates (a problem with the old protocol).

3DS 2.0 has put a lot of pressure on Issuers.

The rise of fintech is fuelled by the fact that the technological world moves incredibly rapidly with exciting innovations waiting around every corner; this culture isn’t compatible with old institutions like banks.

Thanks to this innovative forward-thinking culture, fintech companies have successfully transformed themselves directly into ‘Acquirers’.

Now, unsurprisingly, we see the same thing happening on the ‘Issuing’ side, powered by increasingly sophisticated technology and the ability of global brands to reach out directly to consumers in ways which even banks operating locally struggle to do.

As governments have gradually caught up with the technological world of secure online payments, legislatures have and will continue to play a central role in moulding the future of the payments industry.

The new PSD2 regulations are an example of this shift in direction.

The good news is PSD2 does not require 3DS 2.0; 3DS 1.0.2 satisfies the requirements of PSD2 so, if you’re yet to take the plunge and update to 3DS 2.0 (which we highly recommend), you can still comply.

In addition, 3DS 2.0 promises to make the experience a lot easier, eliminating friction and allowing the provisions of PSD2, and the prevention of fraud to be achieved effortlessly by consumers, merchants and banks.

One of the most interesting implications of PSD2 for merchants (as touched upon earlier) is how it enables them to challenge banks and in effect bypass that step of the authentication process completely. Because of PSD2’s insistence on things like OTPs (One Time Passwords) and 2FA (Two Factor Authentication), consumers will be able to grant merchants permission to approve online payments securely on their behalf by communicating with the ‘Issuer’ (bank) via a 3DS Server (a requirement when using 3DS 2.0).

Technically, it seems that PSD2 and 3D Secure 2.0 protocols can be combined. Banks can utilise the same ACS infrastructure to process SCA and eCommerce 3D Secure transactions at the same time. This can also be a driver for banks to upgrade to a 3D Secure 2.0 ACS. 

If you've read this far, please also share your comments with me. I'd love to know your thoughts.

3D Secure 2.0 Flow; image courtesy of GPayments.com TagsSecurityMobile & online

Comments: (5)

Kenneth Marritt
Kenneth Marritt - Mere Digital - Daresbury | 23 August, 2017, 08:39 Do you think customer's will trust merchants enough to give them access to make payments on their behalf?
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Sadra Boutorabi
Sadra Boutorabi - GPayments - Sydney | 23 August, 2017, 08:57

Thanks for the comment.

"consumers will be able to grant merchants permission to approve online payments securely on their behalf by communicating with the ‘Issuer’"

That simply means they want the merchants to authenticate them via the issuer's challenge screen. Whether it's an SMS or a mobile push notification. This is already happening anyway.

Hope that's more clear now.

1 thumb up! 1 thumb up! (Log in to thumb up)
Lu Zurawski
Lu Zurawski - ACI Worldwide - London | 23 August, 2017, 10:09

I'm loving the way you've chanelled the cheesy 1982 Paul McCartney and Stevie Wonder song ("...living together in perfect harmony, side by side on my keyboard, oh Lord, why don't we?...") into a cards versus "direct-from-account" debate.

The question is though, in a PSD2 world (where "access to the account" makes cards, card numbers and underlying card-based standards a bit redundant), will 3DS2.x only work for card transactions? Surely banks/issuers (and indeed customers) would prefer one authentication method/system that covers their one identity, regardless of what quirky connections are taking place for each of their individual accounts?

Or perhaps it's not as black and white as that?

1 thumb up! 1 thumb up! (Log in to thumb up)
Eli Talmor
Eli Talmor - SentryCom Ltd. - Haifa | 24 August, 2017, 09:22

"One of the most interesting implications of PSD2 for merchants (as touched upon earlier) is how it enables them to challenge banks and in effect bypass that step of the authentication process completely."

Question: The merchants will assume the fraud liability ? I don't see this coming... 

1 thumb up! 1 thumb up! (Log in to thumb up)
Sadra Boutorabi
Sadra Boutorabi - GPayments - Sydney | 30 August, 2017, 07:21

Thanks for the comment Lu.

I'm glad you pointed this out since my article wasn't clear on this.

A bit of customisation and you can have a 3DS 2.0 ACS that will authenticate non-card transactions using the same authentication data. This seems to be the next step in complying with PSD2 + 3DS 2.0 and that's we're doing for our clients across Europe.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Sadra

3D Secure 2.0 and PSD2, live together in perfect harmony

23 August 2017  |  10858 views  |  3 comments | recomends Recommends 2 TagsSecurityMobile & onlineGroupOnline Banking

Sadra's profile

job title Frictionless Fraud Prevention for the Enterprise
location Sydney
member since 2017
Summary profile See full profile »
Sadra has a passion for all things technical and his mission is to help build frictionless fraud prevention solutions and services for GPayments customers.

Sadra's expertise

Member since 2017
0 posts4 comments
What Sadra reads
Sadra writes about
SecurityMobile & online
Sadra's blog archive
August 2017 (2)

Who's commenting on Sadra's posts

Milos Dunjic
Eli Talmor
Lu Zurawski
Kenneth Marritt