When revising the Payment Services Directive (PSD), the EU institutions have – quite rightly – emphasised the importance of security. This emphasis need not stifle innovation or deprive users of new products; but that is precisely the effect that the legislation will have – without making users any safer when they pay online – unless the EU institutions act now.
The Directive, currently being discussed in Trilogue, insists that payment users be authenticated using a process known as “two-factor” authentication. This is where the user identity is confirmed by using a minimum of two “factors”. In simple terms, this means the user has to input two unique answers to authentication questions which can relate to something they have, something they are and something they know.
While this is one solution, others are already available or under development, providing the same level of protection alongside enhanced customer convenience.
One existing, well-established method is the so-called “multi-factor authentication” which uses advanced technologies (e.g. real-time data analytics, customer behavioural patterns, geo-localization or machine learning) to support smart customer identification. This would be banned by the Directive as it stands.
What does this mean in practice? Effectively, any existing or new authentication solution that isn’t “two factor” will be banned across Europe, regardless of how secure it is.
This prevents consumers from benefitting from smart authentication systems when paying online: at odds with plans to encourage the growth of digital payments and the digital single market as a whole. As a result, the next wave of technology will be developed elsewhere, with Europe once again playing catch up.
It is also a boon to fraudsters. If there is only one authentication system in use throughout the EU, criminals that have mastered it will have far greater access to sensitive information, with operators and regulators hamstrung in how they are able to react to it.
Regulators must have the right to rule out authentication measures that are too weak and open to fraud. But what about innovation that actually enhances security? Paradoxically, according to the draft Directive, new authentication methods that are more or equally secure would be outlawed if they are not “two factor”.
Payment services providers are not asking for a ‘carte blanche’ on authentication. Simply put, they want to be able to continue investing in new technologies and have the chance to discuss their authentication solution with their regulator, who will have to assess whether it is as secure as two-factor. If it is, there is no reason for prohibiting it; if it isn’t, then that is a decision for the relevant regulator to refuse it.
The solution is simple – via some changes to the wording in Article 87, the Directive could allow regulators the power to scrutinize alternative methods of authentication based on a risk assessment, and the type of product; taking into consideration technological innovation in the payments space. Otherwise the Directive will ban innovation in the EU payment market for the years to come.
Siada is the Director General of EDiMA. She has a background in Public Affairs and Association Management; having worked with global and European trade associations. Her specialty sector areas are mainly the technology and health sectors. Siada has a proven track record in providing European and Global trade associations and interest groupings strategic advice. She holds an MA in International Studies and Diplomacy from the School of Oriental and African Studies (SOAS) – University of London and a BA in Political Science – specializing in International Relations from the American University in Cairo.