" class="no-js "lang="en-US"> EXCLUSIVE: "Kill or Cure?" - Linda Weston, Barclaycard Payments; Andrew Shikiar, FIDO Alliance and Quintin Stephen, Giesecke+Devrient in 'The Fintech Magazine'
Friday, June 14, 2024

EXCLUSIVE: “Kill or Cure?” – Linda Weston, Barclaycard Payments; Andrew Shikiar, FIDO Alliance and Quintin Stephen, Giesecke+Devrient in ‘The Fintech Magazine’

Is Secure Customer Authentication just a sticking plaster for a patient that’s bleeding out? Linda Weston, MD and Head of Core Products for Barclaycard Payments, Andrew Shikiar, Executive Director of the FIDO Alliance, and Quintin Stephen, Global Business Lead, Authentication at Giesecke+Devrient discuss vital signs and possible interventions

More than a year after Strong Customer Authentication (SCA) became a legal requirement for digital payments in the UK and Europe, the wrangle over how to reach the holy grail of perfect balance between security and usability rumbles on.Against a background of global payment card fraud that is expected to rise to a staggering $49billion by 2030, the need for extra security around card payments closer to home was highlighted by research based on European Central Bank data, published in 2022.

Analysis by the Social Market Foundation found that the UK had the highest bank card fraud rate in Europe, with 134 card frauds per 1,000 people in 2019. The cost of card fraud per 1,000 people in the UK was put at more than £8,800. By contrast, France saw 115 card frauds per 1,000 people, Spain 37, Italy 19, and Germany only 15.

The vast majority of fraudulent transactions (84 per cent) in the UK involved the card details being used without the physical card being present, pointing to the rising incidence of malware and phishing scams to steal the information. Secure Customer Authentication is a requirement under the European Union’s Payment Services Directive (PSD2), adopted by the UK ahead of Brexit, and it relies on using something you know, something you have, something you are, to validate a user’s identity.

Banks are now compelled to use two of those values to verify online payments in what is known as two-factor authentication. The industry standard for authenticating card payments is known as 3D Secure. The principles of such a multi-factored authentication (MFA) system are starting to be taken up globally. But, despite SCA coming into force in the UK in March 2022, research by Adyen among 500 senior retail decision makers a year on found that more than one in 10 (13 per cent) had still not adopted it, leaving businesses vulnerable to FCA penalties for non-compliance as well as risking losing business as a growing number of issuing banks are declining non-compliant transactions. So why the resistance?

Well, almost a third (32 per cent) of those questioned by Adyen also reported that conversion rates have fallen since SCA came into effect.

“With analysts predicting that payment card fraud is expected to rise from $28billion globally in 2020 to $49billion in 2030, merchants really need to act now to protect their future profits and their customer loyalty”

Linda Weston, Barclaycard Payments

It all comes back to that aforementioned holy grail: how to provide a solution that is secure but seamless: make it too difficult and customers will abandon transactions, make it too soft and you risk losing customer confidence in completing transactions. For its part, Barclaycard Payments, a top payments processor in the UK, has developed a fraud screening process called Barclaycard Transact, which uses AI and machine learning to assess transaction risk levels in real-time. Transactions that are deemed low risk use an exemption under PSD2 which allows customers not to take extra verification steps.

“The biggest challenge facing the payments industry right now is how to balance fraud risk and the customer experience, within the construct of regulation,” confirms Linda Weston, MD of Barclaycard Payments. “With analysts predicting that payment card fraud is expected to rise from $28billion globally in 2020 to $49billion in 2030, merchants need to act now to protect their future profits and their customer loyalty.

“Retailers must safeguard themselves from cyber fraud with advanced protections, and really utilise technology that does exist in the payments industry, such as Barclaycard Transact. We control and help to manage that process, minimising the risk of fraud and declines for merchants. Businesses need to provide that smooth, secure, painless payment experience for customers, and this is especially important online.

“Payments providers can really help businesses to thrive, by creating smart, cost-effective payment solutions, that keep customer experience strong and simple. There are some great innovations, and I think, as technology has evolved, machine learning, artificial intelligence, all of those items are combining in order to provide a much stronger capability to detect fraud up front, rather than relying on processes, post the event happening.”

THE MAGIC TOUCH?

The FIDO Alliance is an open industry association with a mission to help reduce what it sees as a global over-reliance on passwords – a key vulnerability to fraud – and develop simpler, stronger authentication. With PayPal among its co-founders in 2012, its ranks now include more than 300 members, including big techs Microsoft, Amazon, Google, Apple and Facebook.

FIDO Alliance’s executive director Andrew Shikiar believes biometrics – a technology championed in its standards – offer a superior, safe and seamless customer experience.“I think we’ve seen some challenges, frankly, with methodologies for two-factor authentication which takes the user out of the transaction flow, perhaps seeking a PIN, or an email, or message, or juggling between devices. That is suboptimal,” he says. “To best aid commerce, we need to find solutions where you have a single gesture, two-factor authentication, which is possible through biometric sign-ins based on FIDO [Fast Identity Online – a set of technology-agnostic security specifications for strong authentication].”

The rapid advance in the use of biometrics such as fingerprints on smartphones has already had a huge impact on the payments industry. Indeed, recent research by Barclaycard Payments shows that digital wallets now represent 30 per cent of all transactions in the UK, outstripping contactless in-store payments (24 per cent), conventional card payments online (21 per cent) and cash (17 per cent).

That’s particularly significant for retailers, as data shows customers forgetting their passwords is a prime cause of cart abandonment and that even those who accept the invitation to reset their passwords spend less. Shikiar believes there is already a quantum shift at play.

“Ultimately, I think the conversation is shifting from bottom line, which is your fraud prevention, to top line, which is revenue creation,” he says.

“Risk and fraud are not competitive issues… partnerships are absolutely critical in managing the end-to-end lifecycle of a transaction, as well as how users interact with the system”

Quintin Stephen, Giesecke+Devrient

One of the Alliance’s large e-commerce members has found that about 15 per cent of its customers cannot remember their passwords when they sign in.

“And we know there is around a 50 per cent shopping cart abandonment rate for people who don’t know their passwords. That’s a huge opportunity loss,” says Shikiar. “Furthermore, those that actually take the time to do a password reset spend less money. So, with a better authentication method, if we can move the needle on that from, say, 85 per cent signing in to even 86 per cent, that’s a huge top-line benefit.”

That said, research commissioned by FIDO Alliance, found around 30 per cent of people are reluctant to give up password authentication because they mistrust biometric technology.A lot of that comes down to education – or lack of it – by the banks, says Shikiar.

“People see a thumbprint to sign in and mistakenly think ’no way am I going to give my thumbprint to my bank’, even though they’re not – the thumbprint is staying on the device. So, while I think biometrics will evolve, consumers at large will need to be educated, and become more comfortable with them.

‘“The cautionary side of this is that it’s very important that service providers and industry protect the integrity of biometrics.This is why we think it’s so important to do everything on device, where the risk of a biometric breach is eliminated, which will help instil further confidence.”

Weston also sees the case for the increased use of sophisticated biometrics.

“The growth in smartphones use has brought biometric authentication to the masses and made it a really normal experience for consumers, which is always super helpful,” she says. “And there are many forms of biometrics – behavioural biometrics is another key area that can be used to support authentication methods. “Part of the challenge, though, can be that it can take time to build some of those biometric profiles. That means that you have to couple biometric authentication with other forms of authentication in order to remain within the framework of the regulation, and also to protect yourself, and your consumer from potential fraud.”

Quintin Stephen, of security technologies provider G+D, says banks have been slower at adopting biometric technology because there was ‘a concern that you would lose your customer along the way, by changing the way you were authenticating’.

He says, though, that ‘if you add a convenient way of authenticating to the convenience of being able to shop on your mobile device, that only leads to a massive increase in transactions’.

“So merchants obviously find that very attractive,” he says.

“If you look at PSD2, and all the regulations around authentication, a lot of them are fixated on solving a problem that’s fundamentally tied to the primary factor of authentication that we’ve had for 60 years, which is the password. Passwords are the problem”

Andrew Shikiar, FIDO Alliance

As global business lead, authentication at G+D, which works with more than 130 central banks and more than 2,400 commercial banks, as well as all the major payment schemes worldwide, Stephen says partnerships are vital in the future development of payments authentication.

“The whole reason for authentication is because of risk, fraud, and compliance,” he adds. “One bank or one financial institution is not competing against another when it comes to fraud and risk. So, it needs an ecosystem approach because the weakest link is what will get attacked. Partnerships are critical in managing the end-to-end lifecycle of a transaction, as well as how users interact with the system.”

Shikiar strongly agrees: “There is no competitive advantage to isolating yourself. So we’re really looking at security and authentication by community, building best practices, building open standards and common flows, to allow for more secure user authentication.”In that case, are the guns of the world’s payment regulators being pointed in the right direction?

Shikiar believes that, while regulation has undoubtedly improved security, there remains a big and fundamental challenge to be overcome.

“If you look at PSD2, and all the regulations around authentication, a lot of them are fixated on solving a problem that’s fundamentally tied to the primary factor of authentication that we’ve had for 60 years,” he points out. “Passwords are the problem. Passwords lead to data breaches. Passwords can be hacked. I could guess your password. I could steal your password. I could even steal your SMS one-time password. Any sort of knowledge-based credential can, and will be stolen.

“Two-factor, three-factor, multi-factor authentication – these approaches are certainly stronger than passwords alone but, ultimately, they’re band-aid solutions to address the flawed primary factor. What we at the Alliance have been introducing lately is a passkey, which is an alternative to passwords as a primary factor. It provides MFA-type capabilities in a single gesture, possession-based authentication, and is supported by Apple, Google, Microsoft, etc.

“Regulators need to adjust their view on authentication based on these new capabilities. Once the focus is taken away from bolstering passwords, we can actually start solving the problem. And so I’d like to see regulation start to embrace more modern means of authentication that exist today, beyond just layering added factors on top of a flawed first factor, on top of the password.”

Weston takes a more cautious view, saying: “At this stage, we’re a year into the regulatory requirements for PSD2 around authentication. I think we need to give a little bit more time, to really see how that embeds, before we can form a strong frame of view as to what that future evolution could or should look like.”Stephen raises another issue: that global regulators are not in agreement over how identity verification should be tackled.

“I think this is the biggest challenge,” he says. “PSD2 covers the EU, but there are many markets out there that have varying degrees of regulation, or no regulation. This is a big challenge, especially for banks that operate across multiple countries. The multitude of regulations out there are not really in lockstep – I’m not saying they have to all follow PSD2, but PSD2 is definitely the flagship when it comes to regulation.

“I agree, though, let’s not put another band-aid on the problem when it comes to authentication. Let’s go back to the fundamentals of what this regulation must drive.


 

This article was published in The Fintech Magazine Issue 28, Page 44-45

People In This Post

Companies In This Post

  1. EBANX Obtains ISO/IEC 27701:2019 Certification and Reinforces Its Commitment to Data Privacy Read more
  2. LTX, A Broadridge Company, Releases GenAI-Powered List Trading Functionality Read more
  3. Laura Bayley, Head Clearing Services, SIX, Appointed SWIFT Board Member Read more
  4. Paytiko Expands to Dubai, UAE Read more
  5. Lumin Digital Announces Partnership With Pinwheel to Offer Banks and Credit Unions Advanced Digital Deposit Switching Solution, Pinwheel Prime Read more