Open Banking, the General Data Protection Regulation (GDPR) and 3D Secure 2.0 dominate client conversations while Strong Customer Authentication (SCA) is not a priority despite the deadline for compliance fast approaching according to Sebastien Slim, director of Europe and Americas at global payment provider, HPS.
“SCA, they speak about it but they don’t necessarily ask us questions,” he said, speaking on the sidelines of the firm’s customer conference last week. “At least this is what we’ve been discussing with our clients and even prospective clients. The questions revolve around PSD2 and GDPR but not so much around SCA.”
Come September 14, SCA – a part of the second payment systems directive (PSD2) – will force banks to challenge all online transactions over £30 with further authentication required. This authentication will require two of three elements, something the customer is (inherence), something a customer has (possession), and something a customer knows (knowledge).
During the consultation period on SCA, banks – and their merchant customers – expressed their concern over the added friction in the customer experience, something Slim believes is not being explained to customers.
“You can draw a comparison to the rise of contactless,” he said. “We were asking customers for years to put in their PIN codes and all of a sudden we were telling them that their NFC chip was secure. That could happen to SCA when we’ll suddenly start asking customers for two factor authentication.”
It is not the first time card scheme rules have been at odds with regulation, according to Slim.
GDPR requires companies controlling and processing consumer data in Europe to delete data on the customer’s request, at odds with 3DS Secure: “GDPR requires banks to remove customer data while VISA and mastercard rules require you keep that data a period of time after the customer has left the bank. There’s a bit of contradiction around the two.”
3DS Secure, the norm for online payment authentication – and its latest version 2.0 – require an additional security layer as well as the ability for transaction data sharing to prevent fraud. It is mandated by the EMVCo card scheme.
The cost of breaching GDPR stands at either €20m or 4% of annual revenue and could prove as costly as $915m for Marriott international according to reports. While Facebook paid a fine of £500,000 for the Cambridge Analytica scandal under the Data Protection Act, the tech giant could face fines over £1.24bn under GDPR for its latest breach.
With no current standard, GDPR should emulate 3DS Secure or PCI to provide guidance to the industry, believes Slim.
“Ultimately, GDPR is applicable but we’d prefer actual certification so that it’s clear to everyone,” he said. “The key concern is that there is no kind of certification for GDPR. VISA and mastercard have rules to follow and you’re testing against that certification and at the end of which you’re certified.
“GDPR has no such standard, we’re asked to protect customer data and yet we have no way to demonstrate that we are doing just that. I don’t think you can live in a situation where you are asked to follow something without a way to demonstrate compliance,” he said.
Whitepapers
Related reading
2020 hailed “year of contactless” by payments study
By Richard Young The coronavirus crisis has caused a surge in mobile and contactless payments, driving consumers to make fewer but larger ... read more
Redefining remittances: Fintechs during coronavirus
By Daumantas Dvilinskas, CEO and co-founder, TransferGo According to new projections by the World Bank, remittances are set to decline by as ... read more
How is coronavirus affecting regulation in the payments industry?
By Paul Anning, partner, Osborne Clarke The UK’s financial services regulators, industry bodies and market participants all have a part to play ... read more
Crypto’s safe-haven status wavers amidst market crash
Perceptions that cryptocurrency performs autonomously from other markets is being questioned as bitcoin crashed by 50 percent on March 12. Market participants ... read more