PSD2: Where is the FCA?

On 12 January 2016, the revised Payment Services Directive (EU) 2015/2366 entered into force in the European Union, and will apply from 13 January 2018.

Anyone know what ‘apply’ means in this context?

On August 12th, the European Banking Authority (EBA) released its Consultation Paper “On the draft Regulatory Technical Standards specifying the requirements on strong customer authentication and common and secure communication under PSD2“. There have been many articles since then trying to explain what it means, at best these are educated guesses.

All other RTSs and Guidelines entrusted to the EBA won’t be available until January 2018. Classification of Major Incidents for example.

So as the UK’s ‘competent authority’ for PSD2, it’s surprising – and more than a little disappointing – that they have so far provided zero guidance, and won’t until sometime in 2017.

For example, the most pressing questions are:

  1. If January 13, 2018 is the date when PSD2 will ‘apply’, does that mean that’s when Account Servicing Payment Service providers (ASPSPs) have to make “at least one communication interface enabling secure communication” available? Or do they have until October 2018 at the very earliest (per the Consultation Paper)?
  2. What happens to ASPSPs if they aren’t ready? Are there penalties?
  3. When will the FCA begin the certification process for Account Information Service Providers (AISPs) and Payment Initiation Service Provider (PISPs)?
  4. Do ASPSPs already qualify as AISPs and PISPs if they currently perform these functions?
  5. Does the FCA have final say in liability?

I was fortunate enough to give a series of PSD2 presentations last week to a large ASPSP, and it was clear that there is significant confusion and frustration surrounding it. I know the legal teams of the larger organisations will already be lobbying the FCA, but I think it’s about time some of these conversations get translated and filtered down to the masses.

Of the 50 people I trained in those 3 days:

  1. PSD2 knowledge was very low;
  2. So far they have received little guidance from senior leadership;
  3. 85% were more scared than optimistic;
  4. Only 10% saw any opportunity for their organisation, the rest saw their jobs threatened;
  5. Almost all saw PSD2 primarily as a force for disintermediation of the card schemes, acquirers and issuers;

Clearly this organisation is not alone, and all the planning in the world will do nothing without a goal in mind. What will PSD2 look like in 2018? What can organisations do NOW without definitive guidance? Is there really enough information out there to warrant investment at this stage?

No organisation wants to invest in business transformation without 2 things; 1) clear opportunity for doing so, and 2) clear guidance from the competent authority. Also, no organisation wants to be first while there is so much uncertainty, but no organisation wants to be last. The advantage in this respect is clearly with the new entrants in the market, not the incumbents.

All that said, wishful thinking is going to get us nowhere. The FCA will jump in only when they are good and ready, it’s up to us to do what we can in the meantime.

Here’s what senior leadership at ASPSPs could be doing:

  1. Ensure the conversations between the legal teams and the FCA are filtered down to all staff – If you’re not having these conversations with the FCA, you must start;
  2.  Set-up a task force to examine opportunities related to Access to Information (XS2A) – You’ll have to give your customer’s information away for free, don’t you want the same from your customer’s other ASPSPs?;
  3. Set-up a task force to examine opportunities related to innovation in payments – Like it or not, existing payment channels will see significant competition. Don’t be Kodak, or Blockbuster, or IBM…;
  4. Set-up training opportunities for as many staff as possible, in-house or 3rd party. – Uncertainty kills motivation, you cannot let this turn into fear; and
  5. Take a long hard look at your mobile apps and APIs, these things will have very significant impact down the road. – You cannot be left behind where customer convenience is concerned.

The time to prepare is now, the time to panic is a long way off. This may sound strange given everything I’ve written up to this point, but look at it this way:

  1. Innovation in payments will only be relevant when consumers ask for it – Just look how little impact Apple Pay and the like have had. Why would it, when it’s no more convenient or value-add than the plastic they are trying to replace.
  2. Regardless of the January 2018 date, you have years before current payment methods begin their inevitable decline – Make smart choices, don’t make choices based on perceived deadlines.
  3. Your customers are yours to lose – YOU have the existing relationship with your customer, new entrants in the game will be at significant disadvantage. Unless you do nothing.

The PSD2 is a good thing for consumers, it’s really up to ASPSPs if this is mutual.

[If you liked this article, please share! Want more like it, subscribe!]

Biometrics vs. Passwords: A Fight No-One Can Win

Thanks to Apple Pay, then Samsung Pay, biometrics companies have seen a tremendous surge in consumer interest, to the point where they are now falling over themselves trying to be seen as the authentication standard that replaces the password.

No doubt the numerous breaches that were apparently the result of weak password authentication will have these same companies in a feeding-frenzy of finger-pointing and I-told-you-sos. This is more than a little inappropriate, as biometrics not only has some of the same weaknesses, it adds layers of complexity and risk far above those to which passwords are exposed: at least you can change a password.

If you take 1800s transportation as an analogy, the answer was not to breed faster and stronger horses. You repurposed what you had (including the horses), coordinated a huge array of other industries and innovations, and worked TOGETHER to build something exponentially better.

Authentication now finds itself at a crossroads, and like most things in the Digital Age, there is no one right answer. The only certainty is that it will be the mobile devices that will be at the center of taking payments and authentication innovations to the mainstream. If you can’t put your authentication mechanism on a smartphone it simply won’t be adopted.

One answer which is simple, and brings the benefit of using both passwords (in the form of customer PIN) AND biometrics (in all its forms) is now available. No single factor of authentication is enough, and each one has its strengths and weaknesses. By combining multiple factors, you not only negate the limitations of each, you ensure that security is significantly more robust. The whole, in this case, is much greater than the sum of the parts.

The longer the password is, and the more of them you have, the more difficult it becomes to keep track. But the simpler the password, the easier it is to crack. Biometrics is relatively more convenient, but is prone to false positives, and once known from a physical perspective, can never be changed. So each factor is not ideal by itself, but combining a simple password, like a PIN, with biometrics, device registration and geo-location, presents a much more resilient hurdle.

We believe that poor design can lead to overly complicated solutions, and authentication mechanisms are no exception. Making a payment should actually be simple, as it’s just a transfer of value from one place to another, it’s the fact that we have MADE them complicated that makes them unsecure.

The average consumer is used to entering a PIN or a password and their smartphones should now be able to take care of the rest in a way that they hardly even notice it happening. Only in this way can we achieve the security we need, with the convenience required to make implementation practical.

For the payments sector to build the next generation of consumer solutions, individual vendors need to stop focusing on themselves and be more collaborative.

[Ed. Written in collaboration with]

No, Passwords are NOT Dead, and No, Biometrics is NOT the Answer!

The title is already too long, but what it should have said was; “No, [all] Passwords are NOT Dead, and No, Biometrics [by itself] is NOT the Answer!”

Passwords represent one of only 3 factors in authentication; the something you know, and to get rid of them when they are already so established in favour of another single form of authentication; the something you are represented by biometrics, is wrong to the point of being irresponsible.

In one of my previous articles related to biometrics hype, subtly titled “Anyone Else Getting Sick of Biometrics Hype?” I made it clear that I am actually a fan of biometrics. I went as far as to say; “…they are absolutely intrinsic to the future of non-cash payments and the implementation of true identity management…“. But what I cannot accept, and will rail against until I’m blue in the face, is those shamelessly trying to make biometrics the only player in town.

Somehow my enormous blog following of 99, (including family) has so far been unable to effect the changes the industry so desperately needs. But this is the not the first time blatant self-interest has made matters worse for everyone; The battle over NFC delayed its useful implementation for years, the on-going battle for loyalty / reward programs means there are tens of thousands of them (most of little use to the end consumer), and having a different adaptor for almost every device we own (even if you only have Apple!) annoys me endlessly.

Biometrics vendors are now firmly in this illustrious group, and it’s all so unnecessary.

However, there are a lot of organisation out there trying to do the right thing, those whose mission is to ease the transition of the payments space from cash / paper / plastic to digital, and who recognise that no ONE organisation has all the answers. Passwords are not the answer, biometrics are not the answer, hardware devices are not the answer, it’s a combination of ALL of these things and all the things to come that will get us to where we need to be. Those prepared to collaborate, to be part of the solution instead of being the problem, will all get a piece of a much larger pie. If they can prove their merit.

The worst part of it is that the ‘problem’ biometrics vendors are trying to solve has been created mostly by them! Yes, a lot of people want digital payments to be easy, or ‘frictionless’ (as the current buzz-phrase goes), but the vast majority of people are not concerned about passwords, they just change them, nor are they concerned about cashless payments, what’s wrong with their credit cards? While there is no question that payments will transition from plastic to mobile, it will be a long transition, and there is no room for disruptive innovation in this space.

I of course blame Apple for this, Apple Pay has driven an increase in interest in biometrics that has every vendor clamouring to monetise before the interest dries up.  And dry up it will, IF they continue along the current course. Biometrics by itself does not solve the security challenges, but if they embraced the collaboration with all the other forms of authentication (including passwords), they would cement their future in a far more positive place.

Is Authentication of Identity Even Possible?

Before I can answer that questions, I need to define what I think Identity is. Too often authentication is used interchangeably with identity, but that’s like saying a bank account and money are the same thing.

In its most basic terms, authentication is the what-of-you, identity is the WHO-of you. You can authenticate via password to log into your computer or buy a cup of coffee, but if you want a mortgage, considerably more background information is required. I could give you 5 usernames & passwords, 5 forms of biometrics, and have 5 different hardware tokens and you would still not know to any degree of certainty if I’m good for a loan.

Example: Two people are standing in front of you, one’s a stranger and one’s a close friend. You know [for the sake of this hypothetical] that they are both who they say they are, but do you feel equally comfortable lending them your car?

I would assume the answer is no, you would NOT be comfortable loaning a stranger your car, so what’s the difference? Trust, pure and simple. You trust your friend because you know WHO they are, not WHAT they are.

Unfortunately you will never be able to know everyone on the planet as well as your friends, so how can you assure a sufficient level of trust to do business of any sort? Currently, authentication is enough, but it’s almost entirely one way. If you want to buy something on the Internet YOU have to complete the login details (often including a permanent account), you have to enter all of you payment details, and you have to accept the risk that the merchant will send the goods as promised.

With an identity, built over the course of time and receiving input from many sources, every individual and every organisation can build a demonstrable level of trust so that both sides have the assurance they need to conclude the transaction. Fraud in e-commerce is rampant because we simply don’t have this 2-way assurance.

From the individual side: Credit score, confirmation of available funds, payment history, and any number of other factors can build a Trust Assurance Score (TAS), and it will be up to both the buyer and the seller to agree on the level of score required to complete a purchase. e.g. on a scale of 1 – 100 (100 being a perfect TAS) the merchant needs a score of 5 to buy the ubiquitous cup of coffee, but a score of 50 to rent a car, and a score of at least 75 to get a mortgage.

From the merchant side: Time in business, corporate credit rating, ratings and reviews and so on can build their TAS, so you can decide up front the level of risk you are prepared to accept to conduct the business at hand.

Clearly there are many challenges with this; How do you build a rating in the first place (the young and new businesses should not be unfairly advantaged)?; How do you  provide instant access to this rating without exposing all of the detailed information behind it?; How do you tie in the level of authentication required to even request a TAS? And so on.

I’m not proposing a way to fix this, I’m simply trying to demonstrate that  the reason we don’t HAVE identity built into transaction authentication is that these issues have not been addressed yet. And until we have identity built into transactions, we won’t have the levels of trust required to make significant change. Payments for example will move from plastic to mobile, but authentication (even multi-factor) is not enough to significantly reduce fraud.

I suspect block-chains (the technology behind crypto-currencies) has a big chunk of the answer, but I can’t even conceive on how this will be done. I just know it needs to.

EMV Liability Shift, How Mobile Authentication Can Ease the Pain

In October of this year, any merchant in the US who does not demonstrate the ability to accept EMV transactions can be deemed liable for the fraud associated with counterfeit cards.

That’s only 5 months from now.

Most people in the EU can’t really understand the confusion this has generated – we’ve had chip & PIN for well over a decade – but for the population of the US, swipe & signature is as natural as handing over cash. Retailers are rightly concerned that adoption will be a slow and painful process, but that may not be their biggest concern.

Estimates of the cost of transition from magnetic stripe to chip range from 12 (mine) – 33 (the press) billion USD, and the lion’s share of this will fall to the retailers who must replace their existing payment entry devices (PEDs) with chip compatible ones. The chances are good that this expense was not in their long-term costings, and bringing forward the end-of-life of their PED infrastructure is simply not an option in an industry where profit margins are razor thin.

But the thing that few people realise is that while the chip alone is a positive factor in fraud reduction (anti-counterfeit), the greatest benefit of the roll-out of EMV is only achieved when in conjunction with the use of a 4 digit Personal Identification Number (PIN). This effectively adds a second factor of authentication (the card is something you have, your PIN is something you know) making card present transactions significantly more secure. PIN alone would have significant positive impact as well.

It follows therefore that while organisations scramble to comply with the letter of EMV, there already exists in almost everyone’s pocket the capability to provide not just a PIN, but multiple forms of authentication and value-add services that far exceed the benefits of the chip; the mobile phone.

Even the loss of the Primary Account Number (PAN), which is the largest cause of card related fraud, is meaningless if the thief can’t complete the transaction. Add to this the numerous benefits of instant coupons, loyalty programs and even ratings & reviews, and the retailer now has the capability to enhance the customer journey while meeting the intent of EMV.

Neither the card issuers or even the card schemes themselves are fixated on EMV itself, they are only truly interested in reducing fraud. Retailers share this goal, even if they do not entirely agree with the way to get there.

It is up to authentication vendors to provide alternatives, and get those alternatives tested, real-world proven, and on the table. This will not be authentication vendors alone, or mobile device manufacturers alone, and the result will not be a decision made by card schemes alone. This will be a collaboration between ALL players, and will only work if everyone comes away a winner.

Especially the consumer.

[Ed. Written in collaboration with]