European Central Bank proposes 2FA liability shift to boost Internet payment security

This is a positive development in the right direction from the European Central Bank. However, with the growing sophistication of hackers, a two factor authentication may not be sufficient any more (see my blog on Finextra). Security technology has advanced so that a four or even five factor authentication can be conducted with some of the layers being invisible. This enables both a sufficiently safe and a convenient way of safeguarding a transaction.

This is unwanted scare-mongering and will severly curtail online and mobile usage scenarios. As for curbing fraud, I'm not sure if it will help: Leading US ecommerce merchants like Amazon have still not implemented VbV or other forms of 2FA despite FFIEC releasing guidelines to this effect in 2005 and reiterating them in 2011, and I haven't come across any figures showing that they suffer greater fraud as a percentage of revenues as compared to their counterparts in EU and other countries where 2FA is common. 

IMHO, 2FA poses enough friction already. Any more factors and I predict that cash will enter online transactions - as it's already happening in India, where "Cash on Delivery" is the #1 payment mode for ecommerce purchases.

I fully support this initiative if it helps reduce fraud and creates a common customer experience, though I too question whether two factor authentication is sufficient given how savvy fraudsters are becoming.

Part of the problem with 3D Secure is that it's not mandated, meaning that the customer experience varies from web site to web site with some merchants asking for authentication while others (such as Amazon) do not. If all cardholders were required to authenticate themselves in some way, as they do with chip and pin in a face to face environment, then they'll be more likely to remember their password when shopping on-line.

I'd also like to see some form of token based authentication introduced for telephone orders, supported by a liability shift as this doesn't exist at the moment.

Perhaps once two (or more) factor authentication is introduced internationally for face to face and cardholder not present transactions (if we ever get to that stage), being in possession of a card number on its own will have zero value and PCI-DSS will no longer be necessary - saving the industry many millions!

Having just attempted to put through two CNP transactions in a country where 2FA / 3DS is mandated by the central bank, remembering one more password is the least of the friction. There are simply too many moving parts and even if each individually has 99%+ uptime, the end-to-end uptime is a lot lower and transaction failures are not uncommon. In my present example, one transaction succeeded whereas the other failed (because the issuing bank's 3DS was constantly timing out). I'm not sure if the issuer, acquirer and payments processor are aware that this transaction has failed, causing loss of revenue for the merchant. As for merchant, I don't know if he believes in "ignorance is bliss", is patting himself on the back for blocking a potential fraudulent transaction, or is upset with the others in the payments process flow for bungling this transaction. Perhaps, with its renowned use of A/B testing for over 10 years, an ecommerce leader like Amazon has a better idea about the potential of VbV / 3DS / 2FA to trigger transaction failures and cause false positives, which is why it has astutely chosen to avoid such technologies. I'm sure Amazon doesn't like fraud any more than other merchants but perhaps recognizes that fraud is a cost of doing business in the real world. 

Although the latest, the above is not my only experience with false positives caused by existing 2FA solutions. Maybe it's high time the regulators changed their focus. Instead of specifying even higher levels of security, they should insist that existing issues with 2FA are ironed out first and demand proof that 2FA has cumulatively prevented more fraud loss compared to the revenues it has lost due to false positives. I recall a banker saying, "only compliance, no transactions" in a somewhat similar context recently.