Disruption, Regulation And Navigating Payments Security

“A tsunami of change is happening in the payments industry right now,” explained Hannah Preston, a Solution Strategist for the Payment Security Division at CA Technologies.

Change that makes the need to secure the digital payments ecosystem even more critical. And that, Preston asserts, is about addressing three separate but very related topics: authenticating the consumer, determining who get access to that consumer’s personal data, and making sure that both the access and data remains secure. That was the topic of a 45-minute conversation between Karen Webster and CA Technologies executives, Carol Alexander and Hannah Preston – who threw in a little dose of how a few new regulatory wrinkles fit, too.

Wading The ‘Technical Limbo’

This wave of change has left banks and issuers across the U.S. and Europe examining the various options that face them in order to connect the authentication, access and data dots, securely, while eliminating consumer friction when transacting. And in some ways, Preston and Alexander remarked, that has left them in a bit of a holding pattern in light of the regulatory requirements that PSD2 has imposed on access to their customers’ account data.

“In some countries there’s even a sense of technical limbo while they await technical standards to be fleshed out,” Preston said, pointing toward one specific European regulation that’s creating a lot of conversation in the payments ecosystem: PSD2.

At the crux of that issue, Preston said, is access to accounts.

“[It’s about] infrastructure access to the more traditional card schemes where the cardholders can get direct access to merchants like Amazon or PISPs (payment initiative service providers) — and innovating the way in which people pay for things outside the traditional infrastructures that exist today,” she told Webster.

The new requirement, Webster suggested, raises new questions about who owns customer data and how that impacts – or not – the relationship that issuers have with their customers. Preston said that how the various players in the payments and financial services ecosystem navigate PSD2 and its requirements differs a bit depending on where they are in that ecosystem.

“Issuers are responsible for authenticating customers’ transactions so they will be responsible for deciding how they want [access] to happen,” Preston explained, adding that passwords will no longer be compliant. She also remarked that it’s the customer who ultimately owns data and will give merchants or PISPs permission to access it on their behalf.

Closing The Regulatory Gaps

This new regulation also calls for open communication standards across all of the E.U. So, Alexander explained, those doing business in Europe – who may be domiciled outside of it – must comply with the standards.

“It’s really looking at how we can close regulatory gaps between countries – so if you are participating in commerce in the E.U., there is a need to comply with PSD2. I know that’s an important consideration in the U.S.,” she explained, suggesting that when it comes to regulation, especially when it’s about security, similar regulatory guidelines applied.

“I can see [regulation] converging because the same kinds of guidelines — behavioral analytics, biometrics, etc. — to ease the friction with card transaction is really going the same direction with PsD2 in terms of security and frictionless access,” she said.

For now, it’s up to the industry to secure access to that data. Giving intermediaries permission to access consumer data is one thing, making sure that the access does not compromise the security of the issuer, nor put that consumer data at risk.

“There is an urgent need for banks to be able to leverage real-time data in order to drive faster and more efficient outcomes. Countries like the Netherlands have access to accounts – APIs where you can initiate payments. Sweden is close to becoming a cashless society. That’s how things likely will go in other countries,” Preston said.

But, of course, there are two sides to any one of these opportunities, which is why securing access is so critical. Otherwise, if access to those APIs get into the wrong hands, there will be a lot of finger-pointing about who is responsible for the data. That’s why more conversations are happening with how banks are going to manage these new regulations, Preston said.

“There is a strong message globally that is coming from card schemes and all the different initiatives. And that is to really abolish weak security like weak static passwords that are too easy to exploit,” Preston said.

Embracing Emerging Technologies

According to a stat provided by Preston, some 70 percent of the world’s passwords have been hacked. That means that only 30 percent are effective.

“We’re at the point right now when we can get rid of these ridiculous passwords that we all forget,” Alexander noted, suggesting that the industry is at the point at which “the technology is friendly enough” for consumers to adopt it and for banks to want to willingly enable it.

Preston agreed, and contends that the technology is available for banks and issuers to leverage. They just need to bring it into their environment. But eliminating passwords is just one step. Eliminating what Preston calls “the human weakness” is just as important.

“We have to eliminate the human weakness where customers can give stuff away,” she asserted. “If we make it so that information doesn’t exist at all and, instead, we use analytics, behavior and device information to make authentication decisions, then we can have it all,” Preston said. Issuers and their customers can have both security and convenience now, she explained.

Preston said that allowing access to account infrastructure is a big step in making that more of a reality for more issuers and consumers.

“Behavior and devices is really the way forward – it makes it much more difficult for fraudsters to get through,” Preston said. In those scenarios, the cardholder isn’t required to do anything – the model picks up changes in normal behavior. “There is a relationship between devices and fraud, and with the right tools, it is getting easier and more reliable to distinguish genuine behavior from fraud activity,” she added.

In real time, since great data after the fact is less important, Alexander acknowledged.

Preston reminded the live audience that the safest way for data to not be stolen is to not have it exist – replacing static passwords with one-time passwords, two-factor authentication, and biometrics, she affirmed, can eliminate that risk.

Preston and Alexander raised the issue of “marrying the credentials” many use to make a purchase online with their online banking profiles – essentially creating a digital identity that becomes the secure credential that users are able to use to transact across the various digital channels.

“We’re heading toward an omnichannel environment with the consumer interacting with their bank in many different ways. Digital credentials will only make that easier,” Alexander said.

Connecting The Dots

Of course, as the move to digital becomes more prevalent, and more devices are connected, the ability for legacy payments infrastructure is sometimes called into question.

Preston believes that APIs can help modernize existing infrastructure and should be a key part of how banks think about keeping pace.

“No one will argue that we should continue with the legacy infrastructures that weren’t designed for today’s environment and predates the smart technology or modern devices that today enable financial services and payments, Preston said, adding that access to accounts, 3D Secure, open APIs, etc. are all key to that modernization effort.

Preston closed by suggesting that the opportunity for issuers is to “put yourself in the right position to take advantage of the right opportunity in the market.” She offered four key considerations:

  1. Put real-time data front and center in a security strategy.
  2. Adopt a zero catch strategy to gather data based on device behavior and information.
  3. Eliminate that human weakness. If you want to authenticate, it has to be strong … personalized to more individuals.
  4. Share APIs, link systems and data based on what’s happening on the CNP and CP space that you can make intelligent decisions about.

For more from this digital discussion, see the slides below.