An amount of money that is nearly impossible to comprehend, $156 trillion, is expected to cross international borders annually by 2022 according to an EY study.
These money transfers are all encompassing, whether it's a billion dollar corporate acquisition or a hundred dollar remittance from a migrant worker, all transactions need to be authenticated. Anytime money is moved, it must be reviewed to ensure it is not related to fraudulent activity. Fraudsters and other nefarious characters often attempt to obscure the true source of their finances by routing it through multiple countries.
Regulatory bodies around the world are attempting to prevent fraudulent transfers and money laundering and the EU’s revised Payments Services Directive (PSD2) is one of the strictest regulations to date. PSD2 requires strong customer authentication (SCA), eliminates surcharges on most credit or debit card transactions, and lowers consumer liability for fraudulent transactions.
As enforcement of PSD2 rolls out across Europe, card issuers and payment processors are hastily preparing to meet the strong customer authentication standards. Complying with these regulations can be a difficult task, but some businesses are taking the changes in stride.
Payment Authentication Challenges with PSD2
When it comes to payment authentication, even domestic transactions can be difficult and foreign transactions add another layer of complexity. According to SWIFT, 10% of all payments require manual inspection due to missing or unstructured data issues.
Another challenge complicating authentication of cross border transactions are the detailed and varied banking regulations that exist in both the sending and receiving countries. This means that international B2B transactions require additional manual investigations up to 5% of the time.
As a result of these data issues and manual interventions, international payments take far longer to process than domestic. On average,, domestic B2B payments take 21 days to clear while international payments can take up to 32 days.
While PSD2 addresses some serious issues that need to be addressed, its strong customer authentication requirements could result in further delays in transaction processing, at least in the near future. For most payments, strong customer authentication requires two of three multifactor authentication (MFA) types be used:
A Known Factor - a password or PIN
An Owned Factor - a mobile device, laptop, or security key
A Biometric Factor - fingerprint or face scan
The strong customer authentication compliance deadline has been pushed back to March 2022 to allow business more time to get their systems inline with PSD2 requirements. However, banks and payment processors have been diligently preparing to meet this latest deadline.
How Ready are Business for Strong Customer Authentication?
Strong customer authentication requirements will vary depending on the final destination of a transaction. If a transaction that originates in Europe leaves the EU at any point it no longer needs to follow SCA’s two factor requirement. However, if the transaction originates and ends within the EU then strong customer authentication’s full requirements apply.
The result is that EU merchants who do most of their business outside of Europe will see less of an impact from PSD2. This is a significant relief for those merchants who already face a highly complex process.
EU payments industry players are taking full advantage of the extended PSD2 deadline. A Jan 2018 Deloitte study highlighted the fact that only 75% of firms felt adequately prepared to meet PSD2 standards. When considering the new payment authentication standards, that number drops to 58%.
Since 2018, significant improvement in EU merchant readiness has been seen with a recent study finding that 99% of merchants are able to meet strong customer authentication requirements. Additionally, 94% of credit and debit cards are ready to handle strong customer authentication rules and 82% of payment service consumers are enrolled in an SCA solution.
At this time there is no further clarity if the EU will again extend the deadline for strong customer authentication requirements. Statistically speaking, most merchants are now prepared to meet the requirements. However, not all strong customer authentication solutions are as effective at fraud prevention as others. Any strong customer authentication that uses passwords is vulnerable to phishing, SIM swap, and account takeover attacks.
LoginID’s FIDO2 passwordless authentication platform was built with PSD2 and strong customer authentication in mind. LoginID utilizes the two stronger MFA factors, an owned factor and a biometric factor, in conjunction with FIDO2’s unparalleled private key cryptography to create a highly secure authentication mechanism for merchants and banks.
At registration, the user is prompted to use the biometric that is native to their device (fingerprint or face scan) to create a private key. A PIN can be used in the event that the device does not have a biometric. That private key is then stored securely on their device, never leaving. The two factors that are the device and the biometric are then used together to authenticate the user.
In addition to passwordless authentication services, LoginID also offers a transaction confirmation with digital signature service. When a customer is checking out, before the payment is processed, they will be prompted to supply their biometric to approve the transaction. This acts as a payment authentication and fraud prevention measure that is difficult for even the most sophisticated fraudsters to exploit.
Developers who are interested in integrating LoginID’s passwordless strong customer authentication solution to their site can view our easy to integrate documentation here.