PSD2 (Revised Payment Service Directive) is a directive issued by the European Commission in order to fortify customer rights, facilitate competition in banking, and increase Internet payment safety via SCA (Strong Customer Authentication). The original European payment services directive came into force in 2007. The PSD2 directive expands considerably on the original version of PSD.

PSD2 in practical terms

The aim of the PSD2 regulation is to create open banking in EEA, while ensuring online payment security based on defined rules. For the first time ever, this directive authorizes bank customers to use the services of third-party providers through open APIs. Rather than rely completely on traditional banking services, PSD2 enables both customers and businesses to manage finances more conveniently and affordably via a wider choice of third-party providers.

Customers will be able to use various fintech services to analyze their spending, pay bills, take loans or make transfers, while their money is deposited in their bank accounts. European banks are obligated to create a system of open APIs that provide access to customer accounts. Third-party providers are authorized to provide financial services while using bank data.

PSD2 deadlines

The deadline for all EU member states to enact PSD2 into national law was  January 2018. Following the initial stage, two deadlines were stipulated:

• March 14, 2019

By March 14, 2019, all Account Servicing Payment Service Providers (ASPSPs) – which refers to any institution that provides and manages payments accounts – were supposed to have set up a testing or sandbox environment including APIs, support and documentation. The comcept was to provide a six-month period to test authorising payment services before the final date of implementation.

If a financial institution is incapable of setting up secure APIs independently, it can partner with a technological network with readymade API portals.

• September 14, 2019

The final compliance deadline is mid-September of this year. At this stage, SCA will be required as well as access to accounts (XS2A). SCA is a crucial element, which obligates customers to authenticate themselves by combining two out of the three following options:

• Something you have – using a device only available to the customer (such as a cell phone)
• Something you know – unique information (such as a PIN) only available to the customer
• Something you are – physical evidence unique to yourself such as facial or voice recognition
  

Optimizing the purchasing process

While robust security is vital, it is no less important for the merchant to ensure a frictionless user experience. To facilitate the process, some operators are adopting behavioral biometrics, which uses machine learning to analyze a user’s unique typing cadence, finger pressure or other personal parameters in order to ensure continuous authentication behind the scenes.

Other ways for merchants to ensure smooth purchasing processes include the use of e-wallet payment methods (which already include two-factor authentication), integration with payment platforms that optimize payment processing, and developing user-friendly mobile apps for seamless shopping experiences.

Online and mobile transactions are particularly vulnerable to breaches, and passwords and codes can no longer provide adequate security against cyber attacks. Innovative technologies are being developed to meet growing fraud challenges. According to Capgemini, fraud detection systems using machine learning and analytics minimize fraud investigation time by 70% and improve detection accuracy by 90%.   

Machine learning fraud detection

Machine learning enables the creation of algorithms that process large datasets with many variables. The system reveals hidden correlations between user behavior and the likelihood of fraud. Machine learning systems enable faster data processing and are less dependent on manual effort.

MasterCard has adopted machine learning to monitor variables such as transaction size, location, device, and purchase data. The system assesses account behavior and offers real-time assessment regarding the nature of the transaction. The system reduces the number of false declines in merchant payments. According to reports, merchants lose about $118 billion annually due to false positives, while customers’ losses amount to nearly $9 billion.

Blockchain for digital identity

One of the main problems related to fraud is that personal data is shared by a wide range of organizations, providing hackers with easy pickings. By definition, blockchain or Distributed Ledger Technologies (DLT) is decentralized. This factor enables a new approach to identity management. Data can be shared across different transactional channels while enabling robust protection of user identities. Users will have the ability to create encrypted digital identities, and the need for multiple usernames and passwords will be eradicated.

Behavioral biometrics for unreplicable authentication

Behavioral biometrics authentication is based on the principle that no two human beings share the exact same behavioral patterns. When it comes to the use of mobile phones, each user has their own typing pattern, swipe speed and finger pressure. Through machine learning and by analyzing behavioral patterns, smart algorithms can continuously authenticate user identity in the background of a session without interrupting the user experience.

User behavior analysis  

One of the classic methods to detect fraud is to track deviations from usual customer behavior. A smart fraud system will pick up anomalies such as high values and unusual locations, new IP addresses, time of day, changed shopping patterns, and more. After detecting these activities, an advanced algorithm will raise a flag and assign a higher likelihood of fraud. The system will then send a verification request to the card owner in real time.

All of these methods constitute highly effective tools to fight sophisticated fraud. Small and medium-sized companies may find it more affordable to engage external data science experts or acquire third-party software rather than building an in-house team.

Photo courtesy of Nicole De Khors