PSD2 Smiles On Biometrics — And Other Tales From The New World

Watching. Waiting. Concerns about fraud. And an apparent boost for biometrics.

The second Payment Services Directive — known as PSD2 — has come into effect in Europe, with a September 2019 deadline of payment service providers being able to adhere to regulatory technical standards regarding security and functionality.

Much like the General Data Protection Regulation, or GDPR, the European Union’s recently enacted online privacy regulatory regime, the new world is a work in progress, with the impacts, consequences and rewards still to reveal themselves.

The basic goals are clear enough: Encourage faster payments. Spark FinTech innovation. Loosen the grip that the biggest banks have on the data and technology that make payments possible. Give consumers more choice when it comes to financial services.

It’s still very early, but recent news points to one PSD2-fueled development: the further spread of biometrics in payments. Mastercard wants to test out its fingerprint-scanning cards in the U.K. The payments firm is reportedly already testing the card in South Africa. The product combines chip technology with a fingerprint scanner to verify the cardholder’s identity when making purchases in-store or online.

PSD2 sets out the requirements for SCA, an identity verification procedure that leverages multifactor authentication. SCA pulls in factors such as ownership (i.e., the transaction is coming from a device that is recognized as belonging to the consumer) and inherent traits (biometric identifiers like fingerprints and retinas). In addition, there will be further requirements for contactless payments, including asking the user to enter their PIN (or use their fingerprint) to verify every fifth transaction made on the card.

Mastercard has predicted that one in four online sales will require identity authentication to complete a transaction after the PSD2 technical standards take effect in 2019, an increase from just 1 to 2 percent of transactions today.

Corporate payments also could get more of a biometric flavor in the coming months, according to Elias Thomaidis, senior manager, digital security, for Hitachi Europe.

The security requirements will naturally encourage more corporate payment providers to consider biometric end-to-end payment solutions.

“With only 15 months left before the regulatory technical standards directive is set to kick in, banks are advised to review all their payment transaction processes and look to ensure biometrics play a key part in securing both their business and that of their customers,” he said.

But what is the state of total PSD2 readiness?

“The results so far have been rather sobering. In recent months,” read one recent summary, “only 13 of 28 EU countries have met the PSD2 deadline.” That matters, as for one thing, interested payment players “cannot apply for authorization in the 15 countries that have not yet transposed the directive.”

Amid those fresh concerns about readiness and how laggards might impact PSD2 goals, there are recent questions about whether the payment rules contradict the GDPR. “PSD2 asks banks to openly share consumer data with their consent, while GDPR requires that consumer data remains private and secure,” asked one item. “How can businesses possibly juggle the two seemingly contradictory regulations?”

After all, so much of PSD2 relies on how data is accumulated, analyzed and shared.

“Sharing customer data with third parties, as directed by PSD2, is a great idea but difficult to carry out for banks. Banks are challenged by legacy systems, operating in silos and current IT practices, which do not facilitate data management,” the report noted.

May one live in interesting times — that saying is meant as a curse, but, perhaps, it applies in a less sinister way to this era of new payments, privacy and technology, one that will offer even clearer impacts as the months pass.