Community

Finally, common sense prevails. The digital payments environment has move on signficantly since the EBA started this exercise all those moons ago, it is also like to move even further over the coming years and therefore requirements under SCA need to stand the test of time. Foremost, ensuring the vast majority of 'good' payments aren't subjected to undue friction, and any additional step up is proportianate to the risk. Payments has been saved.

Tolga, always glad to hear from you and yes London, Vienna, Amsterdam are always possible but you know I'm an Istanbul guy - Ulus 29 to be exact :) Let me clarify when I talked about on-boarding innovation, I meant the integration of innovation into the banks fraud platform not necessarily for the use case of on-boarding. What my key point is with all of the innovation in the security industry fraud systems must be easily be able to adopt new technologies without long tech projects. The demand will be driven by your customers, you won't have a choice as it is part of their digital behaviour. So Apple Touch ID as an authentication method (RBS & Natwest are doing this already) or be it behavioural biometrics, document verification etc etc all these tools need to be easy to deploy into your target fraud system so you can future proof your technology and not have to rip out and replace in 2 years time when the platform becomes legacy.

Carl - I think you are on the right track but the answer in that regard is - why do you need an electronic card? The mobile has the capbility to do all of the above (and more) today without navigating through a complex manufacturing process.

Tolga, my friend 'you are the man' on this topic for sure and have read this 'series' with great interest. I wholeheartedly agree with your comments and there is a running theme which I believe should be an important requirement : 'Ability to on-board innovation in the security space at relative ease'. By this I mean the security innovation landscape is moving at a rapid pace, I see this on a day to day basis. So as your tip 12 - maybe this is a key theme.

E.g. how does a fraud system take on board Apple Touch ID as an authentication method - if starts to be the way your conusumers behave. Beyond Apple Touch ID what's the next big security innovation, something Biometric related no doubt so being able to map this into a fraud process and system is key.

Stay ahead of the curve, as they say.

@shoumit I was trying to dig this information out about CAL - it solved the issue Carl raises about card theft - as it had a keypad for you to enter a PIN. Don't underestimate the issue of customer authentication friction, it can be a bigger risk to business than fraud itself. Security measures are clearly critical to the eco-system but they need to be balanced with the fact that genuine consumers needs to be able to transact effectively in the fast moving digital payments world.

Interesting development though the first use of display cards with Dynamic CVV was with ICC-Cal in Israel. At the time it was an exciting innovation (circa 2008) however the costs were prohibitive - given all the players in the card manufacturing eco-system. However with Oberthur buying Nagra ID, and recently investing in component manufacturing in China there is scope to industrialise this beyond 'cool pilots' if the costs can be viable.

The other aspect is the interplay of authentication with Dynamic CVV, and then 3D Secure if appropriate - in France this is certainly the case. Double-authentication can be cumbersome to the consumer.

So this has finally come to it's conclusion and one wonders how much consideration was given to the pressing demands of the emerging digital environment. Reading through some of the detail there appears some flexibility for PSPs but I think the science behind what is considerd "Strong Authentication" will be hard to police. Best practice would be a risk-based authentication environment, with strong authentication initiated when a high-risk tansaction is detected. 

It requires local regulators to understand the commercial pressures of the burgeoing eCommerce world, without following a "tick box" approach for a world that is changing quicker than regulation allows. 

Interesting times ahead, requires sensible thought.