PSD2 Faces Further Delays as UK Lags Behind European Compliance

It has been a year since Infosecurity took a first look at the Second Payment Services Directive (PSD2), and since then it has been a year of great challenge for the directive.

According to a survey published in February 2019, only 53% of UK consumers said they would give their bank their mobile number, an act necessary to support the one-time passcode systems to comply with Strong Customer Authentication (SCA). Also, nearly 70% said they think there’s already enough or too many security checks on card payments.

Further, as the original September 2019 deadline loomed, many countries (including the UK) signaled delays in PSD2 enforcement. This has resulted in new compliance delays being put in place for merchants.

To get some clarity on what the situation with PSD2 is, Infosecurity reconnected with Mark McMurtrie, director at Payments Consultancy Ltd. He said the deadline for PSD2 SCA had been extended due to COVID-19, and the issue of the whole industry needing more time to enable systems and controls for compliance with SCA.

This means that active enforcement of SCA will start from January 1 2021 in continental Europe, but will not be enforced in the UK until September 14 of next year. McMurtrie explained that the interim deadline was originally March 2021, and what is key to know is that the “regulation has passed into law, and compliance is required now.”

However, the extended deadline relates to SCA, and it is by those dates above that any card issuer must decline any transaction if it is not 2FA authenticated. “There has been a grace period for issuers to allow current rules and processes, and these must be in place by September 14,” McMurtrie said.

In particular, the issues are the card providers such as MBNA, Barclaycard and Capital One to name a few examples. McMurtrie said if your card is issued by a European country and used at a UK merchant, enforcement is January 1. However, if your card is issued by a UK provider and used at a UK merchant, enforcement doesn’t apply until September 14.

“There is a lot of complexity on understanding the dates, and this will cause a lot of confusion,” he said. “Meanwhile, the poor merchant doesn’t know where the card was issued, doesn’t know what to enforce!”

“There has been a grace period for issuers to allow current rules and processes, and these must be in place by September 14”

Was Brexit a cause of this? He said no, as the delays have been caused by the ecosystem not being ready and clarifications on rules and technology being late to be defined, “and this has been going on for months, and the detailed implementation is not ready.”

As for Brexit’s impact, as the transition period will end on January 1, there will be a period between January and September where the UK will not be treated as being in scope. “Although, many issuers will not realize this variance of timings; there will be strange times between January and September where cards are treated differently.”

This could lead to two specific problem areas: firstly that more transactions are declined as the authentication cannot be approved, and secondly that consumers abandon their purchases out of confusion. “Merchants fear this high level of decline and abandonment,” McMurtrie said.

So what changes have been made in the last year? McMurtrie said there are exemptions which will allow the number of authenticated transactions to be reduced, and for low value transactions to be exempt. “This can save money as every authentication has a cost, and it reduces friction as every extra step impacts customer experience,” he said.

“Behavioral biometrics were not discussed nine months ago, and the UK is very much a first mover in the market to do this"

Another change is that the EBA has clarified that SMS one-time passwords cannot be treated on their own as a compliant single factor. Many issuers have needed to change their approach to authenticating customers, and will now be adopting behavioral biometrics in conjunction with SMS OTP in order to have a compliant second factor.

“This is a significant change and the UK will be one of the first adopters,” McMurtrie said. “This is about how you use your phone, if you use a phone, desktop or tablet, how you press the buttons and how long for, how quickly you use the mouse and your typing speed.”

He said these data points are all unique to the user and show how the user interacts, creating a pattern for the customer to show they are genuine. “Behavioral biometrics were not discussed nine months ago, and the UK is very much a first mover in the market to do this,” he said. “This is also transparent to cloud providers and merchants, but there could be potential issues for GDPR, as capturing of biometric behavioral patterns could raise a conflict as the customer has not explicitly asked for this.”

Infosecurity contacted compliance experts at Cordery for their advice on this. Partner Jonathan Armstrong said there is concern over monitoring, for example the logging of activity by Office 365, and there are rumours that there is an ICO investigation into Barclays for this.

“Depending on the requirement and on use etc. this may still be permitted under GDPR, but the organizations concerned would have to do a DPIA to make sure they are collecting as little data as possible to fulfil their PSD2 requirement, and they’d have to be transparent,” Armstrong said. He added that this would likely involve specific notices explaining what they are doing, why and who is doing it (e.g. if a third party is involved).

Andre Bywater, partner at Cordery, said that the merchant would have to justify the relevant lawful basis for collecting the data, as they could use the determination of it being done for “legitimate interests.” He explained that failure to identify a lawful basis or picking one that is not applicable would likely get them into trouble under GDPR.

It does seem that there are some issues as we head towards the first European deadline in under two months. McMurtrie admitted that a lot of testing still needs to be completed by September 2021, but the impact on the user should only be pop up boxes appearing, receiving SMS messages and any additional friction related to this.

Alongside the push for compliance with GDPR and the long road of Brexit, PSD2 may not have rated so high as a consideration for security. However, for the average user, this will have an impact and as we see the adoption of more biometric factors as part of general authentication, it is a boost for ensuring the person doing the purchase is legitimate.

What’s Hot on Infosecurity Magazine?