PSD2: Customer Authentication & Your E-Commerce Site

On 14th September, the Revised Directive on Payment Services (PSD2) comes into effect. What does this mean for e-commerce websites?

Initially affecting financial institutions, the changes laid out in this directive should see better security and safety for customers buying online. PSD2 also aims to promote the development and use of online and mobile payments.

The EU hopes that much like the introduction of Chip and Pin for physical card transactions, this will help reduce fraud. It should also help reduce cases where customer details are not secured and left vulnerable. The Directive states that online payments must use Strong Customer Authentication.

What is Strong Customer Authentication (SCA)?

Strong Customer Authentication is defined as:

“an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

In a nutshell, SCA asks that at least 2 elements are used to authenticate transactions, an example of Multi-Factor Authentication. On 14th September, any payments made online should be made in a way that satisfies this condition.

How does Multi-Factor Authentication work?

If you bank online, you may already have multi factor authentication set up. For example, you may need to enter a password and also provide a code generated on your smartphone. This is an example of 2 factor authentication (2FA)- even if someone guesses your password, they still need to get your device to authenticate. This creates another level of security for users.

A range of factors can be used, including:

• ‘Knowledge factors’ such as passwords or PINs and secret questions
• ‘Possession factors’ such as code generators, for example a device you can generate a code with
• ‘Inherent factors’ such as fingerprints or face recognition
• ‘Location factors’ such as only allowing access to users connected to a company network

The prevalence of smart phones means many systems use these in some way, with options for sending users SMS, scanning QR codes or using an app to generate a code.

How does this affect your e-commerce site?

Just as websites are built on a variety of platforms, there are a range of solutions to take care of merchant’s payment needs in the online world. Most payment gateways we looked at are turning to a technology called 3D Secure v2.

You may be familiar with the first version of 3D Secure- a little window opens in the page and you enter a password which is verified by your bank. It’s the online version of entering a PIN number. It has its detractors though, so recently a new version has been released which promises to make the process easier and safer.

Benefits of the new version include the use of increased data sharing, meaning many more data points can be checked and shared with the user’s bank, all silently in the background. The bank can then use this data to make a series of checks. This should appeal to online merchants, as it improves the user experience. If the bank does decide that the user does need to authenticate further, the experience should be smoother, with improved messaging and better support for a variety of devices.

What can you do to prepare?

Firstly, Generate UK would always recommend any payment gateway software installed on your site is kept up to date. This should ensure you are taking advantage of any new features. You should check with your provider to make sure they are implementing 3D Secure v2:

• SagePay
• PayPal
• Stripe
• Worldpay

And if you need some help or a point in the right direction, contact Generate UK.  Ask how we can assist in making sure your site is set up in the best way to keep your transactions safe.