Strong Customer Authentication – Frictionless Payments – Smart Payment Association
In recent months, we’ve seen the payment industry’s innovation agenda take a significant step forward. After much work, the standardization initiatives, and regulatory and authentication frameworks, are at last coming together.
Spurred on by this, we are likely to see new players entering the payment value chain – not to mention the evolution of existing business models. It all heralds a dramatic change in the current financial services ecosystem.
With the foundations now in place, it’s time for the real work to begin – particularly if the tight implementation dates set by the regulatory bodies are to be met.
So, as banks embark on planning, designing and deploying innovative new online and mobile payment services, and developing new banking interfaces and authentication techniques, it is useful to take a step back – to see how we got here, what more needs to be done, and how the SPA can bring its considerable expertise to bear to help.
A key cornerstone for the move to ‘frictionless’ online payment is now in place. In October, EMVCo finally published its 3DS 2.0 Protocol and Core Functions Specification for app-based authentication and integration with digital wallets, as well as traditional browser-based e-commerce transactions.
The principles rely on risk-based authentication, and the use of Strong Customer Authentication (SCA) only when required. However, this latter functionality must always be used to conform with the EBA Regulatory Technical Standard on SCA.
See SPA’s position on the Regulatory Technical Standard on Strong Customer Authentication
The landmark EMVCo specification provides a globally interoperable framework that will promote a consistent authentication user experience across all e- and m-commerce channels and connected devices.
Reflecting current and future market requirements, the specification delivers the flexibility the payment industry needs to support new online authentication technology developments. But it must do so within the boundaries of the recent requirements set by the EBA.
For our part, SPA members will be on hand to provide advice, guidance and technical expertise every step of the way. SPA Members have been strongly involved in developing ISO standards to support the interoperability of new open payment infrastructures which are regulated under the European Parliament’s revised payments directive (PSD2).
The challenging 2018 implementation deadline of new functional and security requirements is pushing banks to actively explore how to develop standard APIs. These APIs will enable Third Party Payment Providers (TPPs) to access information on bank-held payment accounts, a major breakthrough.
Over the past few months the SPA has undertaken a detailed evaluation of a number of new European schemes within the SEPA framework, including Instant Credit Transfer Payments and Mobile P2P payments.
As the payment market continues to evolve, SPA is committed to keeping its finger on the pulse of emerging innovations to ensure such payment mechanisms represent an appropriate yet complementary option to today’s proven secure card payment technologies and infrastructures.
Meanwhile, as a review of recent market data confirms, contactless card transactions continue to grow dramatically around the world. [See SPA’s Paper: Contactless Payment Benefits & Worldwide Deployments – Food for thought for US issuers – April 2016]. Despite this impressive growth, fraud levels on contactless cards and devices remains impressively low.
Indeed, consumer use of payment cards continues unabated. European Central Bank statistics point to double-digit growth in card transactions compared to other payment instruments such as credit transfers, checks, direct debits and cash.
This unstoppable move towards card adoption has been fuelled by the recent US migration to chip card technology, and completion of the long envisioned global EMV infrastructure.
The increasing acceptance of contactless cards and readers is paving the way for the adoption of mobile payments.
Representing a vital first step in consumer and merchant education, familiarity with contactless payment is proving highly effective at preparing the way for user acceptance and take-up of “The Pay” options: Apple Pay, Samsung Pay and Android Pay.
SPA is teaming up with the financial industry to better understand the regulatory requirements in terms of customer authentication, and to anticipate the development of fit-for-purpose contactless payment products.
For example, in August the European Banking Authority (EBA) published its consultation paper on draft technical standards for strong customer authentication and common and secure communication for remote electronic payment transactions under the PSD2.
SPA has also been working with the European Card Stakeholders Group (ECSG)* to review the PSD2 compliance implications for banks and provided the EBA with a set of constructive comments to facilitate strong customer authentication implementation.
With the ‘new’ ECSG now an independent organisation, SPA is channelling its input through a very active participation in the Vendor sector of the organization.
The first priority for the ECSG has been to focus on the publication of the next release of the Volume Book of Requirements, which will take into account the new regulatory provisions for visual and electronic identification of co-branded payment cards.
Through its ECSG Board membership, SPA has also been heavily involved in management tasks; the creation of governance rules and frameworks for the new entity to ensure maximum levels of collaboration while protecting the intellectual property of vendors.
SPA intends to continue to play its leadership role of the Vendors Sector of the ECSG and to actively push for innovation, while supporting appropriate standards that add value for banks and their customers.
As we move into 2017, regulations will continue to evolve as new ways to pay are developed and adopted. SPA is committed to ensuring that such regulations do not negatively impact on banks or over complicate the user experience.
Looking ahead at the major challenges facing our industry in 2017, one cannot ignore the complexities of this fast evolving environment.
The crucial issues surrounding the roll-out of instant credit payment transfers, initiated with different personal devices, and the implementation of the interfaces required for the provision of Third Party Payment Providers according to the PSD2, must be effectively addressed.
SPA will remain active in the standardization process of APIs, protocols and security architectures to protect all the actors involved in these new payment circuits.
Throughout 2016, much of the discussion centered on the financial industry real use cases for Blockchain and Distributed Ledger Technology (DLT).
The challenge now, SPA believes, is to reach a broad consensus between banks and fintechs to solve existing operational problems. We must come together as an industry to build and implement the financial Blockchain solutions of the next decade.
It’s a major task, and SPA will continue to monitor and contribute to those standardization initiatives intended to improve financial Blockchain interoperability and security.
In all, 2016 was a very successful year. Agreement of the various payment regulations and standards was long in coming. Now we are here, it’s time the real work started.
The Smart Payment Association (SPA) addresses the challenges of the evolving payment ecosystem, offering leadership and expert guidance to help its members and their financial institution customers realise the opportunities of smart, secure and personalised payment systems and services both now and for the future.
For more information on the SPA, visit our website: www.smartpaymentassociation.com
Stéphanie de Labriolle-