Some are questioning the commitment to digital security by Europe's payment sector as companies in the European Union and UK have asked for another postponement in migrating to a new payment directive.
Europe’s revised Payment Service Directive, or PSD2, aims to tackle credit card payment fraud by introducing the Strong Customer Authentication, or SCA, system.
The deadline was moved once by the European Banking Authority (EBA) from September 2019 to this December, but the economic effects of Covid-19 have seen Europe payment organizations jointly ask the EBA for at least six more months.
The SCA applies multilayer authentication combining PIN number, hardware identification numbers and/or biometrics for the European Economic Area. It will become a building block for members in the European payment chain, like Mastercard and Visa, to authenticate and secure frictionless payments of above the 30-euro ($32.83) threshold.
The payment companies told the EBA Covid-19 was to blame because it caused a significant drop in “the capacity available to progress SCA development and implementation.” They say tech overhauls in times of crisis can be risky if not done in a safe and controlled environment. Extending the SCA deadline may give banks and payment companies some time to regain stability after the pandemic.
Risk vs Reward
More than 70 percent of e-payment processes aren't SCA-compliant so there will be a lot of work for merchants to be “SCA-ready”, but the demand to extend the timeline is unacceptable to some consumer organizations because e-payment fraud was on the rise before Covid-19. In the UK alone, card fraud was estimated to have caused losses of £671.4 million ($833.17 million) in 2018 - a 19 percent increase on the previous year.
The need for stronger security standards is even greater as a result of the worldwide lockdown: 500 scams and more than 2,000 phishing attempts were reported a month ago and digital skimming has enjoyed a heyday since the pandemic struck.
One of the main causes is the single-layer requirement of filling in a card number, expiry date and the three-digit CVC code. Some consider this a thin line of defence against fraudsters to compromise and take over.
Adding biometrics a tough call
Bringing high-tech disruption to the payments market could either solve or complicate matters, according to the payment companies' approach to EBA.
Multilayer authentication may be common when it comes to validating a user's login on apps or websites, but one of the SCA’s layers relies on the cutting-edge technology of biometrics. That requires a lot of work to achieve broad familiarization and it has slowly built up its presence for several years - facial scans at airports, voice control to start up a car and fingerprint access to mobile devices.
UK bank NatWest began a three-month trial of its first biometric fingerprint credit card in January to validate transactions of up to £100. The implementation was easy because there were no hardware changes required to accept the biometric card. Registration was simple and safe: the fingerprint data was locked only onto the card - preventing uninvited access.
The challenge was piloting biometric-related projects to gain consumers’ trust. Research showed 81 percent of consumers in the UK, US, Canada, Germany, Austria and Bulgaria were unwilling to give up password-based authentication as a result of a lack of trust in and familiarity with biometrics.
Enthusiasm for biometrics, however, is visible across the Middle East, South Africa and now the UK. According to research from IDEX Biometrics 60 percent of UK consumers were familiar with fingerprint biometric authentication and more than half were willing to trust fingerprint authentication.
Another challenge is to implement proper biometric data security. Tech companies usually store a cryptographic hash of a fingerprint to minimize the risk of duplication if the data is compromised. Risk, however, will always come when companies prefer a way around storing data. Even Facebook got caught storing millions of passwords in plain text.
The great divide
Different international road maps and timelines were another complexity in implementing the SCA within the current payment ecosystem. Immediately after the payment companies' approach to the EBA the Financial Conduct Authority (FCA) announced the SCA timetable in the UK had been pushed back to September 2021 so retailers could adopt it in unison.
Backing the FCA’s decision, Payments Europe said the aligned date would reduce the risk of declined transactions - which could backslide the e-commerce market as a tool during the pandemic.
The inconsistency in the timeline, however, implies a bias priority from European e-payment companies. Are they committed to going the extra mile to protect consumers or are they playing it safe to regain the market?
Nonetheless, with the pandemic fueling online shopping the volume of payment fraud can't be stopped unless extensive measures are taken.
The final call once again falls to the EBA and national authorities. The European Commission, too, plans to review the new directive “in due course” when “its impact and effects will be more measurable”.