As the European Union nears the creation of new rules on payments providers for consumer authentication, many question their utility.
The European Banking Authority’s proposed rules say that service providers have to choose two of three verification methods: knowledge (such as a password), possession (a card, phone or wearable) and/or inherence (fingerprints, voice or iris scan, for example).
The EBA also says that issuing banks are the only entity to assess risk, which could add back friction that has been removed by behavior-based risk models and risk-based authentication processes. The proposals establish hard transaction limits on low value transactions, requiring extra consumer authentication steps should they be topped.
Tim Buckingham, a lawyer and director of UK firm Payment Services Consulting Ltd., says the proposed rules single out Visa and Mastercard branded cards and does not seem to address the various alternative payment methods that are springing up. He adds that Visa and Mastercard authentication systems are good products that are sold in the areas where they are needed.
“The problem with this type of legislation is that the eclectic mix of acquiring clients does not lend itself to this ‘one cap fits all’ type of solution,” he says. “The industry needs to be dynamic and reactive to specific needs, and to be able to develop effective fraud prevention mechanisms for different sectors.”
Buckingham says PFs could be effected negatively by client dissatisfaction.
“A PF’s merchant client base will typically push back on this type of product because they are simply not big enough to merit the cost,” Buckingham says. “Merchants that a PF typically targets will not want to build in the additional cost layer to their products in an area that has already seen costs pressures brought to bear via other regulation. This could have a dramatic impact upon whether new players are capable of entering the market and be profitable, going exactly against the free market competitive drive that the EU wishes to promote.”
The formal name for the proposed mandates is “the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication” under the EU’s Revised Payment Service Directive.
Sep. 23 in London is the final hearing before voting for anyone wishing to discuss and/or voice disapproval for the proposed rules, and judging by a guest editorial from a Visa executive in the Sep. 20 edition of Politico’s European site, Buckingham’s is not the only dissent.
Peter Bayley, executive director of risk management for Visa, says that while everyone agrees strong authentication is crucial, the proposals don’t balance security and convenience, nor do they allow merchants a say in risk assessment. Merchants should be able to manage risk themselves as long as they show capability, Bayley writes.
Bayley fears extra friction could stall ecommerce in the region, and says from a security point of view that criminals would rather try to trick a consumer than a behavior model that works off a multi-factor authentication. Bayley isn’t the only one worried about the proposals. Fred Tyler, vice president of strategic partnerships at UK-based Credorax Bank, is not a fan either.
“These EBA proposals pose a serious risk to the cardholder experience, especially for recurring and subscription digital transactions,” says Tyler. “Making issuers the sole authentication authority could seriously exacerbate consumer friction at checkout and increase false authorization declines that would really impact PF’s in the SaaS and continuity verticals.”