Usually when a new regulation comes in, its goal is to make things more secure, more private, or more inclusive, but often, at the expense of the service provider or convenient ways of working. For once, we may see a regulation that comes in and everyone
The second payment services directive, PSD2, has a new requirement deadline coming in September for strong customer authentication, or SCA. This new requirement is going to oblige banks in Europe to authenticate their customers in a higher assurance way
when making transactions online. So rather than needing nothing but the card, or accepting easily accessible information such as names and billing addresses, a two-factor method of authenticating the purchaser will be required.
This new way of working is going to be a big change for customers and banks alike, and the
implementation will certainly be a challenge, but the extra layer of security is aimed at saving both sides money; hundreds of millions a year. That’s all well and good, I’m definitely for that, but where’s the downside (apart from change. No one likes
Visa and others have hit back at the European Banking Authority citing concerns of added friction in the ecommerce space, driving down business, with India being put forward as an example, having experienced this very downside after it enforced a
similar regulation in 2014. Much more information about the specifics of the SCA requirement are available since these cries were heard, but there is still push back.
Much of the original concern around this new regulation came from the added friction of having to authenticate every time any payment was made, but as more information has become available, we’ve seen it won’t be so bad. Rolling payments like subscriptions
will only require authentication the first time, smaller payments of less than €30 won’t need it either, and online stores can be white listed by the customer, so authentication isn’t required every time we buy something from our favourite site. All this is
good to hear and hopefully quells some of the fears, but there is still concern of added friction and this is where I think we’re not seeing the
true value of SCA.
Prior to moving to Estonia, my wife told me that online stores don’t get your bank card information or your address when you make purchases. She explained you are redirected to your bank, where you log in and verify the transaction there, before going back
to the site to view your purchase confirmation. My first thought was, “what a hassle!”. I hate being redirected, and logging into my bank is also quite the faff. Oh, how wrong I was.
First thing to note here is that after all the data breaches we’ve see over the last few years, hotels, airlines, credit agencies, etc., the fewer businesses that store my information, the better. Secondly, logging into banks in Estonia takes seconds. I
just tried it on my desktop. It took 6. On my phone, it took 4. And both with an EAL4+, eIDAS, PSD2 certified 2FA mobile solution. Just for the hell of it, I logged into my UK bank account to see. It took 14 seconds, not using 2FA. I dread to think how long
it would’ve taken to log into my app on my phone, generate a code and then input that in my browser to achieve 2FA.
So, what I’ve found living in Estonia and purchasing cinema tickets or booking a squash court or a round of golf, is that it’s actually a far smoother experience. I don’t have to get my bank card out of my wallet, type in all the numbers from the front,
and then the back, and then input my name and billing address. I click on the bank I use, get redirected to my bank log in page, input my username, then four digits on my phone, and then click “back to site”. To sum that up, it’s two clicks and ten characters.
My first name has eleven characters.
The point I’m making here is that the most secure method of online purchasing I’ve ever experienced has also been the simplest (bar sites that actually hold all my details and will be whitelisted in the future). What this means is not only do the banks get
to offer their customers a greater level of security and a reduced risk of fraud, as is the main goal of this regulation, but they could also offer online stores and service providers a smoother checkout flow for their customers. Banks win with reduced fraud,
service providers win with reduced friction, and customers win with reduced time filling in details. A win win win.
Of course, this all depends on the 2FA technology being used. There’s good and there’s bad, both in terms of ease of use and actual security, but the idea of SCA itself has great potential if, in fulfilling it, the right steps are taken. Bring it on.