RTS ON STRONG CUSTOMER AUTHENTICATION - The SPA Position - December 2016
The RTS on SCA was released by the European Banking Authority (EBA) last August for a two-month public consultation period. The document has raised an unprecedented level of expectation in the European payments industry and probably overseas as well.
By elaborating some of the core concepts of the European Payments Directive (PSD2), the EBA expects to bridge the gap between the legal provisions and conformant technical implementations.
Why the RTS on Strong Customer Authentication is controversial
The broad scope of the RTS on SCA covers all types of SEPA payment instruments including all types of card payments - cardholder present and online. The only (partial) exception are SEPA Direct Debits. Yet this exemption is dependent on the mechanism used to transmit the debit mandate to the payee.
Two important points to take away are that:
(1) Strong Customer Authentication (SCA) becomes mandatory for any transaction, unless the transaction falls into the list of exemptions in chapter 2 of the RTS, and
(2) The European Payments Services Directive (PSD2) provides a legal definition of Strong Customer Authentication for the first. This definition is a two-factor authentication - similar to the previous proposal by SecurePay published by the European Central Bank (ECB).
Together, these two points mean that the draft RTS leaves little or no room to apply a risk-based authentication method designed to step up to a strong customer authentication process, with the exception of a high-risk transaction. The well-accepted principle of applying a level of authentication proportionate to the risk of the transaction has been dropped, and this presents an issue as, at present, Payment Service Providers (PSPs) are implementing a level of authentication proportional to the risk of the transaction.
The trade-off between user convenience vs. the need for mechanisms to reduce fraud levels is now biased in favor of a higher and uniform level of security. This differs from the approach selected by EMVCo for its new version of the EMV 3DS 2.0 protocol.
Moreover, PSPs and schemes have invested heavily to integrate EMV 3DS 2.0 risk-based complex authentication algorithms into PSP processing systems. This investment will be jeopardized if SCA becomes mandatory for any payment. The so called ‘frictionless payment process’, which features a light form of customer authentication as a general rule, is central for 3DS; indeed, ‘frictionless payment’ is characterized by the fact that strong customer authentication is viewed as an ‘exception’ instance.
Even if EMV 3DS 2.0 fits into the new regulatory framework for high-risk transactions, the underlying principles and assumptions aren’t the same, and a conflict of positions becomes inevitable.
On the other hand, fixing threshold payment limits for the exemption regime to the SCA prevents the flexibility required for implementations.
Is the generalization of Strong Customer Authentication disruptive?
The important point here is that online payments present by far the highest growth in terms of number of transactions - and also fraud. Even worse, this trend is expected to increase significantly in regions like the US as EMV chip migration progresses.
This trend is confirmed by fraud data published by numerous reliable sources. For instance, the most recent figures published by Financial Fraud Action UK show an increase of 20% for Card Not Present (CNP) fraud between 2014 and 2015. Data released by Banque of France and past statistics on card payments fraud published by the European Central Bank also confirm this trend.
This type of fraud that results from the electronic theft of cardholder data is compounded by insufficient or zero cardholder authentication – resulting in an incorrect payment authorization decision. The fact that EMVCo has not focused on CNP transactions until recently is discussed later in this paper. Therefore, it makes sense that the EBA reinforces, rather than relaxes, cardholder authentication requirements.
SPA reminds readers that for Card Present transactions, both the issuer and the acquirer apply their own Risk Management policies, implemented in the card and the terminal respectively. The EMV specifications make this risk-centric approach fully compatible with the SCA procedure. Simply put, for EMV transactions, the risk management procedure is designed to decide if the payment authorization goes online or the transaction can be approved offline. This risk-based authorization strategy, based on SCA, has proved highly successful in almost eliminating fraud for Card Present payments. That’s the reality.
The security objective for the RTS on SCA is that both online and face-to-face payments will offer a similar level of protection to the end-user - despite the fact that the vulnerabilities and subsequent risks of the respective channels differ. That’s challenging, because online payments are conducted through open networks that are out of the control of PSPs. Moreover, from the security perspective, the fact that PSD2 recognizes the role of Third Party Payment Providers as a payment initiation intermediary adds to the overall risk of the transaction.
We notice that the robust EMV risk management policy is recommended by Article 1 of the RTS on SCA, which mandates the risk management mechanisms that a PSP must use. Quite properly, the RTS mandates that risk management applies prior to granting final payment authorization. In practice this means after the strong customer authentication and before the authorization. As explained, this is consistent with the EMV approach being extended to the online payment context.
SPA members have long been developing e-banking online products that use strong authentication based on the generation of a dynamic code. Other solutions use a personal EMV or a specific e-banking card connected to a computer device via a reader. Hardware tokens of different form factors, personalized with payment applications, may be connected to both mobiles and PCs as well. These products are operational but have not been commercially successful so far. In other words, until now, this market lacked maturity and so the disruption, if any, is not of a technical nature.
The problem is the time it is taking to achieve a natural migration, due to the existence of legacy online payment devices and systems for which ROI payback needs to be realized in the context of the recent financial crisis. On the other hand, full risk-based authentication models such as PayPal or Amazon One-Click have been deployed in recent years.
Between the radical critical views against the RTS on Strong Customer Authentication - that SPA does not share - and the need to consider market realities, a third way is needed.
SPA proposes the legal recognition of a concept of enhanced authentication
Card payments vendors have anticipated the rise of fraud for online payments and e-banking. As an example, dynamic CVV display cards represent a substantial improvement in terms of security compared to the manual entry of a static Card Verification Code into a browser user interface. Even if these cards do not feature the SCA requirements as per the PSD2, forbidding their use for amounts above 10 Euros is not justified from a fraud perspective. The benefits of these card technology should be recognized by the law.
As an alternative, and to provide a more flexible migration framework, SPA proposes the recognition of an intermediate level of authentication that could be named ‘Enhanced Authentication’. By ‘Enhanced Authentication’ we mean authentication technologies that have demonstrated proven effectiveness in the field, even if these are not fully compliant with the SCA legal definition. An example is the dynamic CVV card. SPA postulates that the standardization of different levels of authentication is an usual practice - but that this ‘Enhanced Authentication’ could deliver benefits in the form of an exemption regime. Past investments could be paid back this way, paving the way for the new investments required to migrate to a fully-compliant SCA payment infrastructure.
SPA does not believe that this Regulatory Technical Standard is necessary hampering innovation The starting point is the question of the kind of innovation are we talking about. First and foremost, innovation is often hampered by the undue powers of some actors in a given market. In these cases, innovation tends to consolidate market dominant positions, rather than improving services and delivering what may be described in a generic way as providing socially desirable levels of security.
Secondly, payers have a broad range of electronic payment methods at their disposal. Yet many of them are not well adapted to the constraints imposed by internet communications and must be adapted. Thirdly, to ensure adoption, innovative payments technologies must be perceived as secure; meaning innovation must preserve confidence in electronic payment systems.
By mandating SCA, the EBA sets the red-line for innovation and competition. The new challenge for the EU security industry is to offer an easy-to-use online payment method, provided that the principle of SCA is respected. SPA considers that this approach is correct in theory. Yet there is the legacy issue that has to be considered. A good law takes into consideration the market reality and makes provision for flexible migration patterns.
Because the methods used to authenticate card present transactions (card dynamic authentication and PIN code verification) are not easy to apply in the online context (despite the fact that products exist for EMV online transactions), PSPs and schemes have pushed online payment innovation in two directions:
(1) By proposing alternatives for the customer authentication, based on geo-localization or the analysis of customer behavior. Yet from the customer privacy perspective, the personal information collected by these ‘passive’ authentication methods generate concern. SPA considers that these innovations are emerging tools that complement, but don’t replace, the use of certified authentication devices under the control of the payer. These devices are the most appropriate technology to protect the personalized security credentials (PSCs) and cryptographic keys required to protect PSCs both at rest and especially in transit.
(2) By developing methods to manage the ‘risk appetite’ of the payment service provider. Complex algorithms are used that integrate multiple variables to recognize a payer as a legitimate enrolled payment end user. SPA believes that the use of such algorithms is perfectly compatible with the use of SCA methods, because they are appropriate for payment authorization purposes.
To summarize, SPA considers that harmonizing a robust common Strong Customer Authentication baseline is not necessary hampering innovation. The perceived level of security that will be facilitated will engender end-user acceptance of new payment solutions. The real challenge for new payment methods is not a trade-off convenience vs. security, but rather developing highly secure products that are convenient. Having said this, the SPA outlines its concerns with respect two aspects of the draft RTS:
(1) SPA believes that some provisions of the project don’t fully respect the principle of technological neutrality.
(2) Clarifications are required for many text articles.
On the neutral nature of the EBA Regulatory Technical Standards
The fact that the short-term compliance of card-based payments for online payments with the RTS constitutes an unrealistic objective, raises a concern about the technological neutrality of the document. As explained, our understanding is that the objective of the RTS is to promote a similar level of very low risk for the users of electronic retail payment instruments. This objective, that SPA fully shares, should not be pursued by indirectly promoting by law a particular payment instrument.
With this respect, SPA notes that some RTS articles do not appear to respect this fundamental principle. For example, SPA believes that Article 8.2 benefits the use of credit transfers for remote payments and therefore discriminates against other payment instruments, infringing the principle of technological neutrality. These articles should be removed from the final version of the RTS or be applied to all the SEPA retail payment instruments.
Further clarification is needed
SPA understands that this first version of the document is the result of a difficult compromise between hundreds of proposals received by the EBA on the initial discussion paper drafted in December 2015. The EBA also made the choice to merge in a single document, provisions and recommendations coming from different previous publications by the European Central Bank, which needed to be connected. Yet a significant number of core concepts and articles using these concepts require a substantial clarification effort. SPA has detailed where further information is required in our submission to the Public Consultation. They include terms such as:
• ‘sensitive data’
• ‘separated trusted execution environment’ for a mobile device
• ‘separated channels /applications/devices’ for payment initiation and for the display of the payment details to the customer.
Furthermore, in Chapter 3 on “personalized security credential”, SPA believes that the description of the data to be used in the authentication process is insufficient.
From the SPA perspective, the 10 Euros, 50 Euros, 100 and 150 Euros thresholds appear arbitrary and likely to be subject to frequent future changes. These thresholds should be regularly reviewed and adapted by the EBA.
Seven take away points from the SPA prospective
1. SPA supports the need expressed in the RTS on SCA to protect the consumer at a time when a broad range of new technologies are available to pay, and statistics confirms an increasing fraud rate for online payments.
2. Generalizing the Strong Customer Authentication is a good security principle. SPA has always been in favor of exporting the EMV security model for card present transactions and a two-factor strong authentication model to online payments.
3. SPA recognizes that the degree to which risk-based authentication is accepted is a real issue. Ideally, the industry and the regulator should debate and agree the best strategy to prevent fraud between different ‘realistic’ alternatives: risk transaction-based decisions by the PSP, the strong customer authentication ‘one size fits all’ from the EBA approach, or a combined approach.
4. SPA contends that the RTS shouldn’t favor a particular payment technology. However, the role of tamper-resistant devices in implementing security mechanisms that protect confidentiality and the integrity of data should be recognized by the law.
5. SPA believes that implementations of the RTS should result in a greater level of protection against fraud, enhance competition, and provide an acceptable level of return on investment for all stakeholders - provided that flexibility for migration implementations is guaranteed by the regulators
6. In particular, SPA proposes the legal recognition of a third level of authentication ‘Enhanced Authentication’ to preserve past investments for those online payment products which have proved their effectiveness in reducing online payments fraud.
7. SPA is an organization strongly involved in the standard-setting process. With that regard, the RTS should be more explicit in the nature of the standards to be developed for a harmonized implementation of the PSD2. As an example, standards for end-to-end device authentication protocols for e-ID management and remote administration should be developed, or recommended for implementation if already available.