Two Factor Authentication and PSD2

Life teaches us some tough lessons: no matter how good you think you are, no one is irreplaceable and no company is too big, too famous or too revered to […]

Life teaches us some tough lessons: no matter how good you think you are, no one is irreplaceable and no company is too big, too famous or too revered to fail. Take Thomas Cook Group UK Plc and its associated entities.

Thomas Cook was the oldest international travel company on the planet having been founded by none other than a Mr. Thomas Cook back in 1841. At 2am on September 23rd 2019, their CEO announced that it had ceased trading with immediate effect and all future flights and holidays has been cancelled. 21,000 staff lost their jobs and 150,000 customers were in-resort at the time leading to one of the biggest civilian repatriation efforts since the Second World War.

The principal reason for Thomas Cook’s demise was its failure to grasp that the majority of travel is now booked online. Few people visit high street travel agents. They had an analogue business model in a digital world.

Purchasing habits globally have changed beyond recognition, with the huge drive online. This seismic shift brings with it some big challenges, none larger than trying to eliminate payments fraud.

PwC’s 2018 Global Economic Crime and Fraud Survey found that 49% of global organisations said they had experienced economic crime in the past two years. But what about the other 51%? Have they avoided falling victim – or simply didn’t know about it? Whatever the exact situation, the statistics are frightening.

In November 2009, European Union members signed a proposal designed to regulate payment services and payment providers in all EU and EEA member states. The proposal was known as Payment Services Directive 1 (PSD1) and it came into effect the following month. Its objective was threefold: to protect customers, improve the quality of services and to stimulate competition across Europe.

The European Union could not ignore the rise of the online world and in December 2015 the European Commission published the Second Payment Services Directive (PSD2). PSD2’s principal aim is to regulate the emerging world of Third-Party Providers (TPPs), the key mechanism being the implementation of a standard level of security offered to financial services customers across all member states. This is called Strong Customer Authentication (SCA).

Whilst PSD2 came into force in January 2018, the Regulatory Technical Standards (RTS) developed by the European Banking Authority (EBA) and associated with it only came into force on September 14th. And the principal one is (you guessed it…) SCA.

Businesses offering payment services within the European Economic Area (EEA) are now legally obliged to deploy additional security measures on electronic payments of more than €30. All customer-initiated transfers, such as bank transfers and single card payment are subject to SCA safeguards. Payments deemed as being initiated by merchants (such as direct debits) remain outside this directive.

Under SCA, companies now have to verify a customer’s identity by two of the three following elements: something the customer possesses – i.e. the credit card, smart card or mobile device; something only the user knows, such as a PIN or password; and something that the user is, which means biometrics such as a fingerprint or facial scan. Essentially, it brings it closer to in-person payments, where having the card and knowing the PIN satisfies two of those three elements.

Mobile devices have become so prevalent and integral to our lives that they have essentially become an extra limb to many of us. We take them everywhere and thus whilst 2-way Application-to-Person (A2P) SMS connectivity might not be 100% ubiquitous globally yet, A2P SMS is a great way to help meet SCA safeguards.

So how is this done? Simplicity is the key. The service simply requires a mobile phone to be able to receive a supplementary login credential, a one-time PIN or password. The content originators generate the PINs/passwords, relay them securely to us and Mitto uses its comprehensive global connectivity channels to deliver them to the destination subscribers. The key element here is that it verifies they have a device linked to their account with them. This whole process is 2-factor authentication (2FA), most commonly deployed using A2P SMS as the primary delivery channel, with Voice sometimes appearing as a back-up.

2FA is not a new concept though. It is as old as Automated Telling Machines (ATMs/cash machines) which spread globally and introduced real 2FA to the masses 1967 onwards.

PSD2 may only be applicable to the EEA today but such regulation is spreading fast globally. We understand that organisations need to deploy a secure, easy-to-use means of providing 2FA.

Regulation or not, leaving the security of clients to chance means competitors will use this weakness to their advantage, positioning themselves as being truly customer-centric. 2FA is not an option, rather a necessity for Enterprises in order to build and maintain trust. Mitto is here to help you with all aspects of your 2FA journey. 2FA is not going away.