how PSD2 Is changing the way we deal with fraudstersNo love lost between PSD2 and Fraudsters
The EU's Payment Services Directive, currently in its second incarnation, is set to bring many changes. Faster payments and the rise of third-party payment options utilizing banks' APIs are a boon to customers, but what about fraudsters? PSD2's purpose is to enhance digital payments' overall security, but the directive may also be bringing its own set of problems.
The Pressure of Choice
PSD2 increases the number of "players": where once it was just a customer and their bank, now there are also third-party service providers (TPPs). While choice is usually a great thing for customers, in this instance it also brings an increase in both transaction volumes and in demand for mobile payment options.
The pressure on fraud detection systems is thus now also that much more increased, with demands they perform in increasingly shorter amounts of time while dealing with various third-party systems. A significant concern is that, since banks no longer deal exclusively with their customers, malware and social engineering could be used to slip under a bank's fraud defense systems.
AUTOMATION, CALIBRATION & FRICTION
PSD2 also requires increased measures of customer authentication. Since automated monitoring systems already in place are not calibrated to new payment schemes and fraud scenarios, this may impact their efficacy.
Furthermore, once these measures are in place, an increase is expected in blocked payments, which in turn is expected to increase both the demand on call centers and customer friction.
Biometrics and Behaviors for Authentication
However, these problems are being dealt with: automation and advanced analytics are already being employed and biometrics is also on the rise. Behavioral biometrics should prevent account takeover by identifying real users and fraudsters who have taken over the account, while Mastercard recently announced fingerprint-scanning cards that should verify the cardholder's identity while they make purchases. Also, PSD2's own Secure Customer Authentication stipulates mandatory 2-step authentication for transactions.
INTERVIEW: MARKO MARIJANOVIĆ
PSD2 Implementation has been the hot topic for quite some time now. Read what Marko Marijanović, Compliance Expert at Mercury Processing Services International, has to say about the Directive and the challenges it raises, both in fraud prevention and future implementation.
How long did it take for Mercury Processing Services International to become compliant with PSD2?
PSD2 compliance, from our Company’s perspective as an outsourced service provider of our client banks, will predominantly commence when specific PSD2 bylaws come into effect, such as Regulatory Technical Standards (“RTS”), Guidelines on Fraud Reporting and similar. This will mostly happen throughout 2019.
What was the biggest challenge faced by Mercury Processing Services International when it comes to PSD2 compliance?
The challenge, which I believe is the same for the entire industry, lies in the fact that it is still unclear how some of the requirements are to be executed in practice. Let me clarify: PSD2 and RTS are entering the territory of self-regulation of payment card schemes. Our industry is still fully based and dependable on the rules of these schemes, their services and their infrastructure.
All of these need to be adapted to the new regulations. As a prerequisite, for a RTS rule to become practically deliverable, we depend, first of all, on the deliverables of payment card scheme solutions as conditions precedent. The e-commerce standard PCI 3DS 2.0 is the best example here. Furthermore, adaptability of the solution is necessary for each bank. This creates a chain reaction and it will take time. It also means “early” compliance is simply not something that should be heard very often.
What is the biggest fault with PSD2 and what it the biggest benefit?
It is a Directive, which means that each country needs to transpose it in its national law. Intentionally or unintentionally, this opens up the possibility of 28 different ways of implementation and 28 different interpretations by 28 EU Member States. On the other hand, the payments market is a global game, so hopefully PSD2 will not hinder the way we spend outside Europe, especially in the United States and in post-Brexit UK. Still, it is a bold and brave move to steer the payments sector into the 21st century and to prepare a digital playground for an infinite number of business solutions that the smartphone technology can offer.
How does PSD2 help, and how does it hinder when it comes to fraud?
It is still too early to predict this, but the role of the new players on the market - the so-called “third party payment providers” - and the services they will offer, will be an important indicator of how one needs to adapt in fighting fraud in this segment.
Has there been a significant shift in security since PSD2 has been implemented? If yes, what was it? If no, why would you say no?
Guidelines on Major Incident Reporting and other PSD2 bylaws in this area will definitely help further shape the security frameworks of service providers. However, it is clear that we will be facing a collision of two worlds: new agile players with questionable expertise, and questionable interest in security, and strongly regulated financial institutions continuously investing in security. It is still too early to understand the actual security impact that above mentioned new players will bring, but we do need to be prepared for new trends in the threat and fraud landscape.