Out-Law News 3 min. read

Visa criticises regulator's plans for customer authentication under PSD2


'One-click' online payments and other mechanisms for making speedy transactions will be prohibited if proposals outlined by the European Banking Authority (EBA) are introduced, Visa has said.

The payment provider said the regulator's draft standard on strong customer authentication under the reformed Payment Services Directive (PSD2) could, if confirmed, cause "inconvenience ... with no benefits for consumers" and is "a significant threat to future innovation and Europe's future growth".

The EBA is responsible for defining the regulatory technical standards for strong customer authentication under PSD2. The directive came into force earlier this year and will need to be implemented into national laws across the EU by 13 January 2018. The EBA's strong customer authentication standard must be finalised by 12 January 2017.

Under PSD2, strong customer authentication is a mechanism that requires payment account holders wishing to access their accounts or make a payment to provide information that allows their identity to be verified and which is built on two or more independent factors. Those elements are something the account holder knows, something they possess or something inherent in them.

The EBA has proposed to apply the strong customer authentication standards to, among other things, remote electronic payment transactions worth more than €10 where the cumulative amount of previous remote electronic payment transactions initiated by a payer without the strong customer authentication protocols applying does not exceed €100.

Visa said, though, that the EBA should instead consider applying strong customer authentication (SCA) requirements to payments under "risk based approach".

In a new paper on authentication (4-page / 241KB PDF), Visa said: "Today both payment service providers and merchants make intelligent decisions about the level of risk of the transaction. For example, if you go onto a website to buy a book, the issuer of a payment card and the merchant have choices on how they process the transaction. The merchant may recognise you as a regular returning customer buying goods for delivery to the same address; the card issuer may note that you are using the same PC, laptop or mobile that you always use to make purchases. This allows them to approve transactions which are clearly undertaken by the recognised customer and only require a step up to SCA when a potentially enhanced risk occurs. This is what we call a 'risk based approach'."

"Many payment service providers have become very sophisticated and need to require SCA for only 5% of all transactions, and this without suffering additional fraud. A risk based approach as such provides consumers with a familiar and safe experience every time they make purchases on the internet, all while being protected," it said.

The EBA's proposals would, though, "require a consumer to enter additional details, such as an SMS code, for every purchase they make on the internet over €10, even when for instance it is known that they are a returning customer with the same delivery address", Visa said.

The EBA should abandon the "one-size-fits-all model to managing risk" in its draft regulatory technical standard (RTS), it said.

Visa said: "An amendment allowing an exemption based on risk analysis for all payment instruments and a recital in the RTS clarifying that merchants and their payment service provider can 'adopt alternative methods of authentication' and take liability in case of fraud, would in effect make many of the foreseen inconveniences that would be faced by consumers disappear. This would ensure a level playing field between all the different payment instruments used today, avoiding disruption to the e-commerce value-chain including consumers."

Under the EBA's proposals, payment service providers (PSPs) would require to generate a one-time-only "authentication code" that those making payment will need to input to proceed with an electronic payment.

The standard proposed by the EBA is supposed to be technologically neutral. However, the regulator said that the authentication code must contain "security features" that at least include "algorithm specifications, length, information entropy and expiration time". The security features must ensure authentication elements remain confidential, that new authentication codes cannot be generated "based on the knowledge of another authentication code generated for the same payer" and that the authentication code is forgery-proof, it said.

The new standards, if introduced as drafted, will require PSPs to place a maximum limit on the number of times customers can enter the wrong authentication details consecutively. Measures must also be taken to ensure customers seeking to make payments are provided with information about that transaction via a separate "channel, device or mobile application" from those used for initiating the payment.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.