1 of 7

The impacts of European regulation PSD2 and

Strong Customer Authentication on e-commerce

Marie Lathière, Digital Strategy Banking & Payments

2 of 7

PSD2 will come into force in September 2019

Mandates

Objectives

Foster innovation

Protect customers

Issuers must open APIs for account consultation and payment initiation

e-transactions must be protected by

Strong Customer Authentication

Key idea of the slide: PSD2 is real – it will apply in September 2019

The European Commission has issued the Payment Service Directive 2 in January 2016. This directive has mainly 2 goals:

Foster innovation. Lots of fintechs and startups are willing to offer services around banking and payments, like account aggregation, innovative ways of paying, … but it’s very complicated as issuing banks are the only ones to have access to users account consultation and action. Lots of fintechs use screen scrapping but it’s combersome and not properly regulated. So PSD2 aims firstly at mandating the issuers to open free APIs to third parties, enabling account consultation and payment initiation

Protect customers. Since years, fraud on e-commerce transactions is raising. There are data breaches in which card details or personal informations are stolen, account takeover is gaining ground. So there’s a need to make online transactions as secure as physical transaction with chip & PIN

Very importantly, this regulation will come into effect in September 2019 and will concern all the banks and retailers which are based in EU or which are doing business in EU.

3 of 7

Strong Customer Authentication (SCA) and Dynamic Linking requirements

Dynamic Link

Fingerprint

Face

Voice

What I Am

(inherence)

PIN / Password

What I Know

Device, token, card

What I Have

(possession)

and/or

Strong Customer Authentication (SCA)

and

Transaction value

Transaction Payee

Authentication code generation

Key idea of the slide: SCA definition

So today I’ll focus on the requirement for Strong Customer Authentication.

Without entering too much into the details, based on PSD2, the European Banking Authority has published some Regulatory Technical Standards (RTS) that provide the framework on how this needs to be implemented. These RTS are technology agnostic and don’t describe any protocol, this is let to the hands of the different stakeholders.

In terms of customer authentication, what is mandated is the following: I think you are all familiar with SCA, Strong Customer Authentication is about authenticating a user using at least two factors of authentication among what I have, what I know and what I am.

On the top of this, in order to ensure that the user is aware of the amount and payee of the transaction, these data must be somehow signed: this is called dynamic linking.

The result of this SCA and of this dynamic linking must result in the generation of an authentication code which somehow proves, especially in case of repudiation, that the user was the actual user and that he agreed to perform a transaction for this specific amount and payee.

4 of 7

3D Secure, the natural solution to comply with PSD2

E-SHOP

ISSUER

CUSTOMER

1. Checkout

DIRECTORY SERVER

2. Authentication request

3. Authentication

4. Authorization Request

…

NETWORK

4. Authorization Request

Key idea of the slide: 3D Secure = authentication decided by the issuer, done by the issuer

Today the natural solution to comlpy with PSD2 is 3DS. 3DS is an authentication infrastructure put in place by payment schemes enabling a merchant to ask to an issuer to authenticate a customer in order to benefit from the shift of liability. The initial version enabled user authentication using a password or OTP that the user entered on a web page. With new version (3DS 2.0) will also enable Out of band use cases like authentication in the issuer app and enable Risk Based Authentication, which means issuer performing authentication only for transactions perceived as risky. This can be done thanks to a wide range of data that the retailers need to share to the issuer, in this authentication request.

In this scenario,

it is issuer decision to step-up or not
Strong Customer Authentication must always be done at the time of payment
UX and level of friction depend on Strong Customer Authentication method implemented by user’s bank

5 of 7

« Due to 3DSecure for PSD2, we expect our conversion rate to decrease by up to 10-15% »

Bilal El Kouche, Head of Payments at vente-privee

(#3 online retailer in France)

6 of 7

The real solution: let Merchants keep control of the UX:

Delegated authentication

Key idea: the solution is merchants in control of their UX

What is essential is that merchants want to remove any friction in the customer journey that could lead to cart abandonment.

The key solution is thus to have the authentication, not anymore performed by the issuing banks, but performed by the retailer himself, in his environment (browser or app). Thanks to this, the UX doesn’t depend on the authentication solution that a bank may have been putting in place and the UX can be smooth and as frictionless as possible: typically, they are focused on built in biometrics.

Also, by doing its own SCA, the merchant decides WHEN doing it. Typically, SCA could be done at login, which combines protection from ATO and regulation compliance.

Such a solution will have to be endorsed and certified by the payment schemes (like V, MC), which will have to define operational rules like liability rules. They are working on it.

From Gemalto perspective, FIDO and webauthn are ideal standards to cover these use cases as they enable interoperability, and simple implementation for the retailer. That’s why BTW Gemalto is building such an offer based on these standards. In that domain, retailers really expect laptops to be more and more equipped from biometrics sensor to enable these use cases.

So we expect this to be a solution widely used by merchants in the coming years.