Strong Customer Authentication: A Vehicle for PCI-DSS Compliance

Image

Payment services that operate electronically should adopt technologies that guarantees the safe authentication of the user and reduces, to the maximum extent possible, the risk of fraud. In order to achieve this, the European Union in 2007 passed the Payment Services Directive (PSD). The aim of this legislation is to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). Rapid changes in the payments sector have mandated the upgrade of PSD. Technological advances in areas such as cloud and mobile applications have opened up the banking sector to a vast array of new competitors to the traditional banking sector. These financial players, known as Third-Party Providers (TPPs), are offering new ways for customers to access their bank accounts to make payments. Over three quarters of Europeans now use mobile devices to keep track of finances and to make payments, compared with just 18% in 2015. Another major change has been the continuing rise in online shopping. According to a recent survey, one in four Europeans with internet access shopped online at least once a week in 2016. In addition, a 451 Research's Global Unified Commerce Forecast survey shows that digital commerce sales in Western Europe will grow at a 17% Compound Annual Growth Rate (CAGR) between 2018 and 2022, reaching $1 trillion by the end of the forecast period. The rapid expansion of the market is bringing with it exciting opportunities but not without consequences. Fraudsters are increasingly migrating into digital channels. In 2016, nearly £309 million was lost to credit card fraud in eCommerce transactions in the United Kingdom. This compares to just £13.6m in 1998. It’s against this background that the European Union (EU) published the Second Payment Services Directive (PSD2) in December 2015, legislation which regulates payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). PSD2 came into force on 13 January 2018. It includes 112 articles and 11 mandates, and it aims to facilitate innovation and competition in the EU retail payment market. In addition, it gives consumers more and better choice, and it introduces higher security standards for online payments so that consumers feel more confident when buying online. The revised Directive adapts the rules to cater for emerging and innovative payment services, including internet and mobile payments, while at the same time ensuring a more secure environment for consumers.

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is mandated by PSD2 for most payments in Europe beginning on 14 September 2019. Under PSD2, and as reiterated in the Regulatory Technical Standards (RTS), SCA is defined as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” It is the decision of the card issuer to settle on the authentication methods and factors it elects to leverage during a transaction. “Something only the user knows” refers to passwords or PINs. “Something the user possesses” refers to smartphones or wearable devices. Finally, “something the user is” refers to biometric data such as a fingerprint. Transactions that fail to meet these requirements will be declined unless they qualify for an exemption. Exemptions are defined in the RTS and include:

• Merchant-initiated transactions. This includes recurring purchases of the same amount made to the same merchant, such as gym memberships and digital services subscriptions. It is important to note, though, that SCA is required for the initial payment to the merchant.
• Low-value transactions. Purchases under €30 are exempt from SCA.
• Trusted beneficiaries. Under this exemption, cardholders can request that their card issuer 'white-list' a merchant so that SCA need not be applied to future transactions. The onus is on the card issuer to manage white lists for each cardholder. This exemption is worthy of close consideration by merchants and their payments partners to ensure that frequent customers have the best possible checkout experience.
• Transaction Risk Analysis (TRA). TRA is perhaps the most important exemption. It involves analysing a number of factors – such as customer location or payment history – to determine whether a transaction is risky or SCA can be avoided.

In countries outside the EU/EEA, like the US or Australia, SCA is not mandatory. However, if the merchant in these countries supports either Mastercard ID Check (for Mastercard cards) or Visa Secure (for Visa cards), then SCA is required.

Payment Authentication

Up until today, payment authentication was performed using a protocol known as 3D Secure (3DS). This is a service offered by credit card providers that gives additional protection to card users by introducing another layer of password protection. The result of 3DS is the message that customers sometimes see when completing a transaction, depending on the network upon which the card is operating. However, there are drawbacks with 3DS in its current version. It deploys a pop-up screen which uses a different URL, looking rather similar to a phishing site. In addition, there’s the requirement for the user to remember the password that has been used, which could be problematic for a customer with several cards. The first version of 3DS was primarily designed for PC transactions and is quite user unfriendly to make a purchase with smartphones. This means that 3DS is now more an obstacle than an enabler of secure eCommerce. To address some of these challenges, 3DS 2.0 has been released. One major change of 3DS 2.0 is that it offers the ability to authenticate a transaction using a biometric method. By using fingerprints or facial recognition, the amount of fraud is potentially going to be reduced while also increasing convenience for consumers. There are other upgrades, too: no more troublesome payment windows while there is a provision for mobile and digital wallet payment methods. This new version introduces a better user experience that will help minimize some of the friction that authentication adds into the checkout flow. The good news for merchants and issuers is that 3DS 2.0 is fully aligned with the principles established in PSD2 and provides the following benefits:

• Merchants will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication.
• Issuers can improve ‘frictionless authentication’ by way of richer data exchanges. Additionally, cardholders will be able to choose their preferred medium for making purchases thanks to SCA without compromising on security.
• Consumers get a convenient and secure service when carrying out eCommerce payments, with added efficiency and little to no impact on applications and payment gateways that customers are already familiar with.

SCA and PCI-DSS Compliance

PSD2 and SCA are in full compliance with PCI-DSS Requirement 8.3 which makes multi-factor authentication mandatory “for non-console access to computers and systems handling cardholder data.” As the organization’s Guidance for Multi-Factor Authentication states, “The intent of multi-factor authentication (MFA) is to provide a higher degree of assurance of the identity of the individual attempting to access a resource, such as physical location, computing device, network or a database.MFA creates a multi-layered mechanism that an unauthorized user would have to defeat in order to gain access.” With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities in order to reduce the cost of processing fraudulent transactions, reduce the potential for online fraud, increase cardholder confidence in using online services and comply with international regulations such as PCI-DSS. On the issue of PCI-DSS compliance, the European Central Bank seeks “to provide interoperable solutions in the European cards market” with “specifications which have been developed through industry-driven standardisation initiatives.” PSD2 with SCA is a step ahead into achieving compliance and interoperability for safer online transactions. Tripwire solutions can help your organization achieve and maintain PCI-DSS compliance. Learn how here.