This blog post has been coauthored with Karen Lewison
The 2nd Payment Services Directive (PSD2) of the European Union went into effect on September 14, but one of its most prominent provisions, the Strong Customer Authentication (SCA) requirement, was postponed until December 31, 2020 by an opinion dated 16 October 2019 of the European Banking Authority (EBA). The EBA cited pushback from the National Competent Authorities (NCAs) of the EU member countries as the reason for the postponement, and the fact that version 2 of the 3-D Secure protocol (3-D Secure 2) is not ready as a reason for the pushback.
PSD2 is supposed to be technology neutral, but the EBA has unequivocally endorsed 3-D Secure as the way to implement the SCA requirement for online credit card transactions, as stated in another opinion, dated 21 June 2019:
“In addition, communication protocols such as EMV® 3-D Secure provide a means for merchants to support the use of SCA. The EBA notes that versions 2.0 and newer support a variety of SCA methods, while trying to ensure customer convenience, limiting fraud through data sharing and transaction risk analysis, and enable the use of exemptions set out in the RTS. For those reasons, the EBA encourages the use of such communication protocols and expedient onboarding. Older protocols such as EMV® 3-D Secure version 1.0, although supporting the use of SCA, are not fully adapted to PSD2. For instance, they do not include the possibility of using exemptions or use all forms of SCA approaches.”
The SCA provision of PSD2 requires authentication of the cardholder by the issuing bank with two authentication factors for transactions with a value greater than 30 euros. But asking the cardholder to authenticate, for example, with username and password plus a one-time code received in a message is asking a lot, even in Europe where consumers care about security because they have liability. SCA is only viable if the exemptions mentioned in the above quote can be used for most transactions. The “frictionless flow” of 3-D Secure 2, where the merchant provides information to the issuing bank over a back channel, is viewed as a kind of safe haven for obtaining those exemptions, and is endorsed as such in the above quote, even though the information carried by the frictionless flow, defined by Sections A.7.1-4 in the latest version of the Protocol and Core Functions Specification, does not actually enable verification by the issuing bank of the conditions listed in Section 2(c) of Article 18 of the RTS. It should be noted that the malware checking required for condition (iii) cannot be implemented in the context of current web and mobile technology.
But the fact that 3-D Secure 2 has been endorsed as the way to implement SCA, and the frictionless flow as a safe haven to avoid using it, means the PSD2 is in trouble. The 3-D Secure 2 specification is not ready after being under development for many years, and, as discussed in the previous post it may never be ready. It would be prudent to start thinking about what to do if 3-D Secure 2 fails.
The EBA will have three options:
- Acknowledge that enforcement of SCA has failed and recommend that PSD2 be amended to repeal the SCA provision. This would make sense. As pointed out by the EBA itself in the above-mentioned opinion postponing enforcement, cardholder liability for unauthorized transactions was reduced when the rest of the directive came into effect on September 14, and the issuing banks have a self interest to enforce greater security for online credit card transactions. Why not let banks implement cardholder authentication as they see fit and compete for customers based on the security-convenience tradeoffs that they offer.
- Recommend that the SCA provision be amended to require only one strong authentication factor. This would also make sense. Banks are already implementing one-factor authentication with an authentication code sent in a message. The security provided by one strong authentication factor coupled with knowledge of the credit card data (what we have called one-and-a-half-factor authentication in the paper that we presented at HCII 2019) should be adequate for most online transactions, without the risk of ecommerce disruption posed by the two-factor requirement of SCA. And an additional factor could be provided, at the issuing bank’s or merchant’s discretion, for exceptionally high value transactions.
- Insist that SCA must be implemented as currently required by PSD2 and the RTS even though 3-D Secure 2 is not available.
The EBA may very well require the third option. After forcefully endorsing 3-D Secure 2 in the opinion of 21 June, it remembered that PSD2 is supposed to be technology neutral in the 16 October opinion, when faced with complaints by the NCAs that 3-D Secure 2 is not ready:
“16. The EBA assessed the feedback above and noted that the 18-month suggestion put forward by many respondents appeared to be driven significantly by the timeline of the development of a particular version of a particular communication protocol that has been under development by some of the major card schemes (3DS 2.2.). That version is aimed at enabling the application of the full range of SCA exemptions specified in the RTS and the transactions that are out-of-scope of SCA altogether.”
“17. However, other means of payment are available and taking into account the objectives of PSD2 and the RTS of technical neutrality and increasing competition in the payments market, the EBA’s view cannot be based solely on providing a benefit to one or more incumbent providers, while market challengers that provide competing payment services are already ready to offer SCA-compliant solutions.”
And repealing or amending SCA would mean admitting that the EU bureaucracy is not infallible.
Therefore banks, merchants and merchant processors should be prepared for the possibility that SCA may require two-factor authentication of the cardholder with no safe haven available for claiming exemptions. They should start looking now for technologies that provide two-factor authentication with reduced friction.
One such technology is provided in our HCII paper. The paper describes a first protocol for cryptographic authentication of the cardholder using a credit card certificate, and a second protocol that adds biometric authentication using a bank app installed in the cardholder’s device. The first protocol achieves zero friction by using a a service worker registered with the browser by the issuing bank to sign the transaction with the private key associated with the certificate, without involvement of the bank at transaction time. The second protocol provides the two factors required by SCA, but only incurs the friction of the biometric factor, as the cryptographic factor creates no friction. Furthermore, the biometric friction is minimal: all the cardholder has to do is look at the camera or touch a fingerprint button while on the payment confirmation screen displayed by the bank app.
It is worth noting here that, as explained in more detail in the HCII paper, the latest version of the 3-D Secure 2 specification also allows for biometric authentication using a bank app, but with very poor usability. In the 3-D Secure user experience, the cardholder has to manually find and open the bank app, while in our protocol’s user experience the cardholder is automatically taken from the merchant’s web site or native app to the confirmation screen displayed by the bank app.
Of course, relying on a bank app to satisfy SCA means requiring the cardholder to install the app, which may be seen as an inconvenience by some cardholders. But in the scenario that we are discussing, where two-factor authentication is required and no exemption safe haven is available, this would be less of an inconvenience than having to provide two inconvenient factors such as username and password and a one-time code for every credit card purchase of more than 30 euros. Installing a bank app would be good for the bank and would have the advantage over installing a wallet or using Apple Pay or PayPal of not requiring an additional party besides the merchant and the bank.
Implementing the technology that we are proposing would not be a waste of time if the SCA ends up being repealed, or amended to only require one factor. Cryptographic authentication with zero friction would be beneficial to the cardholder, who would gain the peace of mind of increased security without paying the price of inconvenience at transaction time; the merchant would see fewer chargebacks without the risk of transaction abandonment caused by authentication; and the bank would see less fraud and be able to attract customers by touting the use of novel technology to reconcile security with convenience.