One of the key goals of the European Union’s second Payment Services Directive (PSD2) is to make payment processes more secure. To this end, Strong Customer Authentication (SCA) was introduced along with the PSD2. It provides added security for electronic payment transactions but can negatively impact the customer experience. This is where biometric process can make sure that customer convenience is not forgotten during authentication process despite the strong protection on offer.
The PSD2 makes SCA binding throughout Europe for the ‘access devices’ and ‘access software’ that we rely on to access to online accounts and execute transactions. Existing protective measures were thus enhanced with an additional security layer: two-factor authentication. Out of a total of three available factors for authenticating customer identities, two factors are now required.
The three factors are:
- knowledge, or something known only to the customer such as their password,
- possession, or something that belongs to the customer such as their smartphone or PC and
- being, or something that defines the customer, for example, biometric features such as fingerprints.
The requested transaction is only completed if two of the three factors are successfully verified during the customer authentication process.
SCA and its consequences for the customer experience
SCA makes the authentication process more complex. And there are risks associated with this. After all, the more complicated a transaction is, the greater the risk of customers abandoning a purchase because they perceive the customer experience to be poor. Yet this customer experience has never been more important. Studies show that two thirds of the competition between companies nowadays relates to the customer experience.
To address this issue and accommodate their customers, retailers are permitted to make exceptions to SCA. For example, SCA is not generally required for online payments of less than EUR 30. For recurring payments such as standing orders, the customer only needs to complete SCA for the first payment that they initiate. However, if the amount subsequently changes, the SCA process must be completed again. Then there is the option of ‘whitelisting’. An example of this scenario is where a customer adds a company to their list of ‘trustworthy beneficiaries’. This eliminates the need for SCA for future transactions with business partners on the whitelist – irrespective of the sums involved and the frequency.
Biometrics combine security and convenience
The introduction of PSD2 along with SCA is designed to prevent purchasers from becoming the victims of fraud. Ignoring for a moment the negative impact on the customer experience, it’s also important to note that cybercriminals have left no stone unturned in their attempts to bypass the security measures implemented as part of SCA.
The types of attacks employed are varied. Malware is often deployed, for example, to override authentication systems. Social engineering attacks are also popular and involve using fake emails to persuade victims to disclose their personal data.
Companies that are obliged to use SCA find themselves faced with a major challenge: making authentication secure enough to withstand the cybercriminals while also providing an excellent customer experience without too much extra complexity. Validation using biometric features by means of a fingerprint or facial scan offers great potential to achieve this balancing act. An app on a smartphone, for instance, is easily incorporated into the two-factor authentication process. Once set up, verification can be completed in seconds using either a fingerprint or the mobile phone’s camera. Also remember that biometric features are virtually tamper-proof and can neither be stolen nor lost. All this makes the use of biometric authentication an excellent means of guaranteeing both security as well as a pleasant customer experience that will build customer loyalty to company’s brand.
Original article on Nevis Security’s website