Strong Customer Authentication: Disturbing the Waterlilies of Frictionless Authentication

Sounds like the sort of financial regulation that takes place in an oriental garden, to the sound of a bamboo flute playing in the background. Yes, well, um… it’s also been described as ‘the death of our beloved one click purchasing’.

Not the death of our beloved one-click purchasing! The last bastion of online shopper freedom. Okay, let’s not lose our cool. But, your concerns are echoed by many involved in payments.

So, what’s the crux of the matter? From 14th September, as part of PSD2, a customer is required to go through Two Factor Authentication for purchases over 30 euros. Payments over that threshold will have to be authenticated using two of the three pillars of authentication.

The Pillars of Authentication… glory be to the Pillars. Piety won’t save you from the wrath of PSD2. Only strict adherence to the doctrine of the pillars can do that.

What are the three pillars, exactly? The first is knowledge. Meaning authentication by something the customer knows, like a password or pin.

And the second? Number two is possession. A push notification, for example, sent to something a consumer possesses, like a mobile, to verify the purchase.

And now the third? That would be inherence. So, validating the purchase by using something the customer has inherently, like a fingerprint.

First God sent a flood, now he sends inconvenient financial regulation to punish man for its one click purchasing hubris. Not quite. Strong Customer Authentication is designed to reduce fraud. And, apparently online payment fraud is a pretty popular past time for fraudsters these days.

As said God before the flood: ‘sorry for the hassle, but you’ll thank me in the long term.’  I don’t know if he did say that.

Perhaps not. Although Strong Customer Authentication does throw up real concerns for the merchant and bank community, there are exemptions from the rule.

Glory be to the exemptions. And they are? Transactions under 30 euros, subscription payments and whitelisted merchants, for example.

But, for the one off purchases over 30 euros, is there no salvation? Your salvation will come in form of 3D Secure 2.0, the prodigal son of 3D Secure 1.0.

The payments solutions map needs more prodigal sons. Indeed. 3D Secure 2.0 will use machine learning to ensure seamless data transfer between acquirer and issuer, and better risk assess payments.

Positive stuff. It could be. A payment assessed as low risk, with a trusted merchant for instance, would be free from the shackles of Strong Customer Authentication.

So, straightjacket regulation or deliverance from evil (fraud)? In theory, deliverance from evil. In practice, a little more complex. Some hear the death rattle of many a retailer echo through the payments space. They see customer conversion rates plummeting due to fiddly authentication in the immediate aftermath of Strong Customer Authentication coming into force.

Negative stuff. It could be. Strong Customer Authentication has disturbed the tranquil waters of frictionless authentication. It leaves merchant and payment institutions scrambling to find ways to pacify the ripples of regulation.  


Register for FinTech Connect on 3–4 December at ExCeL, London.

View the FinTech Connect 2019 website to find out more