According to a 2020 McKinsey & Company study, the average share of customer interactions that were digital in nature rose by 22% to 58% last year. This increase in digital transactions makes it more vital than ever to ensure your customers identities, accounts, and interactions with your business are secure. A number of regulations are addressing this need, and if you process any online transactions, you have likely heard of the European Union PSD2 (Payment Services Directive 2) that was introduced at the start of this year.
The European Union’s Second Payment Services Directive (PSD2) is driving change and innovation in the payments industry and is reshaping the way that businesses and financial institutions process online transactions. With this new regulation in place, PSD2 aims to increase security for online purchases whilst also improving the speed of customer authentication.
PSD2 is a two-pronged regulatory policy in the European Union that necessitates banks to allow third-party access to customers’ account data and requires that online transactions meet minimum security criteria to protect customers from fraud and increase the overall security of the payment landscape in the EU.
PSD2 achieves this by making customer account data more widely available so that it is easier for payment services to verify legitimate customer purchases. PSD2 also reaches this benchmark by requiring Ecommerce platforms to enact stronger security measures at the point of sale to verify that customers really are who they say they are.
PSD2 requires Ecommerce vendors and financial institutions to implement stronger security and additional verification methods for online transactions. This core principle of Strong Customer Authentication (SCA) aims at reducing payment fraud whilst reducing the impact on the customer experience. SCA can also defend against and mitigate account takeovers, unauthorized account access, and fraudulent transactions.
The key enabler in this case is two-factor authentication which requires consumers to provide at least two pieces of information to prove their identity.
These multifactor authentication elements must be independent in that if one element is breached, it does not compromise the reliability of the others. We have discussed this requirement in a previous blog post on the topic of SMS one-time passwords not being compliant if the SIM card has not been authenticated prior to the customer receiving the SMS.
By ensuring that you have verified two out of the three qualifiers, you achieve SCA and therefore become PSD2 compliant. When a customer logs onto an account using a username and password, you’ve already achieved the ‘something a customer knows’ qualification, and you just need one more to be compliant. The possession qualification in this instance can be met through the authentication of a user’s mobile SIM-card but not a standalone SMS message as many believe. In the case of an SMS, and as highlighted in Q&A 4039 of the EBA Opinion of SCA under PSD2, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’.
Phonovation’s innovative FinTech solution complies with PSD2 to converge mobile and client networks to ensure that financial institutions, FinTech, and KYC companies can validate and authenticate customer identities directly at the mobile phone network level.
Our patented Mobile ID solution provides an PSD2 compliant API into the physical mobile network to help you monitor your customers mobile Identities in real time which enables your business to securely and seamlessly authenticate millions of customers, protecting you and your customers against fraud online.
At Phonovation, we ensure your customer experience is not compromised but rather optimised as our solution provides a seamless customer journey by permitting an SMS OTP to meet the possession factor and fulfil the dynamic validation of SCA.