The ultimate loser in PSD2 is the consumer
If the draft for Payment Services Directive 2 doesn’t change, user experience will take two steps backwards.
One of the great mistakes is to judge policies and programs by their intentions rather than their results.
— Milton Friedman
The Payment Services Directive 2 (PSD2) is designed to create a single and efficient market for payments. It would do this by creating a more competitive playing field that offered consumers more choices for payment at lower costs while also improving security. A tall order to be sure, but after the release of the draft technical requirements one has to wonder if the intent and desire to combat fraud will come at the expense of consumers rather than benefit them.
The bearer of bad news
In the draft technical requirements for PSD2, the European Banking Authority has recommended the usage of bearer tokens in the eCommerce payment process. It essentially works like this: Fred wants to buy a new coffee machine online. He puts it into his shopping cart and clicks “check out.” The site prompts Fred for his credit card information. He enters it and hits submit. The merchant sends the payment information to Fred’s credit card company, and they send Fred a code (the bearer token). Meanwhile the online merchant then prompts Fred for this code. Fred enters it and the transaction is complete.
Unfortunately, Fred and every other EU citizen will now have to follow this same onerous process for every online purchase! Most organizations do not even follow this rigorous an authentication process for their privileged users, and they have the power to wipe out an organization’s critical infrastructure and IT systems.
There is a better way
Financial institutions have been combating online fraud for years, and they have discovered that you cannot catch it all. No matter what you do or how hard you try, some fraud is going to happen. However, in exploring various mechanisms and technologies to combat eCommerce fraud, banks and credit card issuers have learned an important lesson: you need to balance security with user experience.
For example, a Gartner survey of U.S. bank customers, conducted in the wake of banks introducing new authentication methods for retail banking in response to Federal Financial Institutions Examination Council (FFIEC) guidance, revealed that 12% of customers had considered changing banks because they found what their banks had done to be too onerous, and 3% actually changed banks. A poor user experience led to lost business.*
Actual customer experience
Let’s look at this from a more practical point of view. Assume that a card issuer sees a million transactions per day that requires them to send out a bearer token to the end user. Under the proposed PSD2 requirements, this would mean that a million transactions per day are being interrupted, causing significant user friction.
Based on actual experience, a global bank reported experiencing a significantly higher abandonment rate when they required an additional challenge form for customer authentication on 100 percent of online transactions. However, after deploying the CA Risk Analytics solution, this same bank found that 90 percent of the transactions actually yielded a low risk score and did not require authorization, and their abandonment rate dropped 60 percent overnight. Even better, they saw no increases in actual fraud.
An alternative solution
It seems to me that if the European Banking Authority is trusting financial organizations to develop their own solutions for open communications, then perhaps they should be more trusting and allow those organizations to develop their own solutions for combating fraud. And to keep them honest, why not have each financial organization report on their fraud and then publish a fraud report card each quarter or year (e.g., A+ rating for organizations with less than 1 percent fraud, an A rating for organizations with 1 or 2 percent fraud, etc.). This would incentivize them to actively reduce fraud, and provide consumers with a means to select a financial services company that provides the best fraud protection.
* Gartner, “Market Guide for User Authentication,” Ant Allan, Anmol Singh, and David Anthony Mahdi, 12 February 2016.