Have you heard of PSD2? No? No biggie, many companies seem to be feeling the same way! That's surprising since PSD2 stands for the European Commission's latest payment services directive and will govern all credit and debit card related payment transactions above €30. Third-party payment providers like PayPal are also affected. PSD2 will come into full effect on September 14, 2019 and will usher in a new era of credit card payments. After that, the information usually given on the back of the card (owner, credit card number and security code) will no longer suffice to authorize transactions, making successful credit card theft considerably harder. But, although only a few days away, both credit card companies and banks are currently struggling hard to implement the directive.
Cashless payments, though they have been technically available for quite a long time, are still anything but commonplace in many countries. For instance, while credit cards are the default payment option in the US or Iceland (even for harbor tours), in Germany, only every 57th purchase is paid for in this way. Still, credit cards play an ever more important role in international transactions and as surety for hotel and rental car reservations. In 2015, the European Parliament updated their 2007 Payment Services Directive, upping the security checks to combat identify theft among other things.
To make a long story short, things are going to get more dynamic! PSD2 requires "strong customer authentication" (SCA) based on "dynamic linking". All transactions have to be authenticated using at least two of three factors (two-factor authentication):
-
Knowledge exclusive to the customer. This can be a password, a (dynamically generated) PIN or the answer to a security question, but not a card number or expiry date.
-
Access to a pre-authorized device, e.g. a cellphone registered with the bank.
-
A biometric feature inherent to the customer, e.g. a fingerprint.
Based on the above factors, a unique authentication code will then be generated for the specific amount and recipient.
It seems, cellphones plus dedicated apps will be the way to go for future online payments. Naturally, this directive does not apply outside the EU (yet), but consumer rights groups are already at the ready to launch similar initiatives in their countries, should the directive be a success. After all, the billions of cases of online fraud every year are not exclusive to the EU. At present, companies in several countries are struggling with the technical implementation, prompting Austria, France, Germany, Great Britain and Italy to consider 18-month grace periods to avoid financial chaos. It's not like EU countries had four years to implement a system that has been in use at Google and others for many years, as cynics love to point out, right? What's even more puzzling is that even billion-dollar credit card companies are failing to set up a working system on time. With September 14 only a few days away, concerned customers are plenty but proper info material and compatible apps are almost nowhere to be found.
So what about my bank, the name of which I choose not to disclose for the sake of fairness? They're in panic mode! It appears, four years were not enough to make the necessary changes, and my most recent knowledge is that their complaints department is receiving 1,500 complaints per hour. Naturally, their app is no longer working and technical issues are stacking up. Their login page was offline for hours, all banking software was locked out and accounts were suspended. The separation between private and business customers also went up in smoke, since the bank was unable to process different "personal identities". Eventually, their hotline threw in the towel and activated a voice box. The message? "We are aware of the issues and are working hard to fix them. Thank you for calling and have a nice day."
Of course, as with all directives, there are a few exemptions. For example, remote electronic payment transactions of low value will not be affected, but a single transaction cannot exceed €30 and the total amount of transactions cannot exceed €100 or 5 consecutive transactions without authentication. Banks can also deem individual transactions secure and skip the authentication process, e.g. for regular payments. Furthermore, banks can rate online stores as generally trustworthy, an option most likely quickly sought out by Amazon, eBay and other big players. As for my bank: I doubt they'll be compatible with PSD2 any time soon. Despite presenting themselves as more cutting-edge than Tesla in their ads, financial institutes usually take their sweet time to catch up with modern technological developments.
What I would like to know: Do think the efforts are justified or will criminals quickly find ways to circumvent this new security barrier? For non-Europeans: Would you like to see a similar authentication process in your country?
I did apply for another free email
account apart from Gmail. Unfortunately
that website also demands me to supply
a mobile phone no. else they will termiate
my service.
I am afraid govt every where is going the
mobile phone route to monitor us.
As a retired IT mangager of a credit card
co., let me recount my experience of setting
up the magnetic card encoding/embossing
system for Diners Card Singapore more than
20 yrs ago and then I may theorise what
happens to the small player.
DC Singapore used ICL1900 which is UK CPU with
6 bit codes. When DC Internaional informed us to
start using magnetic encoding and embossing cards
via POS terminals instead of the old fashion card
press (u got 3 ply, customer got top copy, shop
got mid copy card co. got last). We are in panic
mode as there are special char in the magnetic track
1 and 2 on the card. DC UK advised us to switch
to IBM System 38 ( mid range CPU) and they claimed
to develop a general credit card package for all
Diners Club. We bought the new S/38 but the promised
software project failed in some countries and the idea
was abandoned. We had to develop our own software
with a team of 6 people including myself and my deputy.
The next phase is finding a magentic card embossing/
encoding system, DC UK gave us a few names, only one
had a office in Singapore and we had no choice but
to buy it. Nightmare followed. The salesman
promised it would work but had no knowledge of how it
work as he did not work in a card company using his machine.
Six months of 9x6 days then one lucky break in that
that month's trial run came out successfully and
I tooke six days to see why it worked and it turned
out the system used special char such as ",/.? etc to
control the movement of the machine to emboss the
card (hence use of Mr.ABC, etc will cause erratic results).
The third phase is not much smoother. We were advised
by DC UK again to buy IBM S/1 for the front end POS
processing, the S/38 was for back end business processing
report /data entry etc. IBM recommended a US co. whose
CEO came to Singapore, he promised to set up a branch
and we signed a contract and one software engineer
was sent to modify the software for us. Their software
was designed for banks or bank owned card when the card
is activated by a ATM. We are not bank owned so a lot
of things have to be changed,
In the end the US co. were belly up and our money
paid via progress payment went down the drain.
Neither DC UK or the other banks or card co. can help
us as each use different hardware and software.
In the end IBM found one US co. with a branch in HongKong
and had done similar project and they managed to
complete the job after 9 mth.
All in all we probably lost US$1M and spent abt
US$3-4M on the S/38 and S/1 and the card machine.
Not counting cost of a thousand POS terminals our marketing
dept had to buy as in the early days no sharing
among bank/card.
I had left the co., and they had swtich to a front-back
unfired system (but multi CPU), it is IBM but UNIX
OS, Oracle database and a third party (US card software
co. with office in Manila) credit card package that
is a black box to co. IT staffs and all they can do
is write programs around it or do data extraction
and generate reports.
Now I shall theorise how the new P2P req. etc may
be implemented (pure theory as I have no contact
with those who are in it) :
The mobile app is the easiest part, most young kids
can write it. But it does nothing other than taking
your SMS via the app., send it to the back, and got
a response and send it back to u.
The bank/card company current system will NOT be able
to handle it. U needs a "Mobile app. processing system"
It will recive the app's message, dedice it if is
for card renewal fee waiver, serv. chg waiver, app.
to link your card to your mobile phone, money transfer
from one bank a/c to another, etc etc. Remember
this is to replace as much of the ATM /bank counter/
CSD call centre functions as much as possible!
This app. processor will probably stored a cross
index database of the bank/card co.'s customer database
(subset of customer ID/card no., phone no. etc)
The complexity comes in if the person holds multiple
credit cards (tied to supermarket, telco, etc)
or for Diners/Amex the supplementary card had the
same first 12 digits and has one statement for main
and supp.card. So U must allow multiple phone no.
linked to the same acccount/card.
For fund transfer to another bank, interface to another
bank is required. The system needs to check if the
a/c or card is good (no bad debt) and it may have to
check a govt or private credit bureau for rating.
It will have to keep track of the time out and
dont forget the random no. generator for generate
the one time pin. I must confess I had heared of
this but I could never figrue how this is done.
It will propably come for a outside source to
generate this or pay a hefty sum to integrate it.
If the "god almighty" decides to go to the next
phase of facial reg. or fingerprint/vocice etc.
Pls note whether midrange or main frame CPU do
not process data in JPG or BMP, only in strings
of 010101..... (numeric codes). All graphic images
have to be digitised (again a third party graphic
digitizer) to become data that can be processed
by the app. system or the back end system.
Only PC terminals can disply the graphic images,
so to view them together with the back end data
u needs to invest in a lot of things (needs to
de-digitise the images back to images on the PC)
The same thing goes for sound / fingerprint etc.
Also govt may have the monopoly of keeping databases
of finger prints, photos (govt passport req. recent photo
but not bank/credit card). Mustlim countries req. female
to wear face veil, so can this work? The recent fad of make
u look old using face change will result in your face stored
in a remote server
Eventualy all those safe guards can be broken and hacked
This really is going to be a very complex set up
and very very costly. The small players (Diners Club
is one) the regional banks, those without international
network, will indeed be left behind as they canot
compete with the bigger players. Even if they are
willing to pay, there are just not many companies
in the world (mostly in US and perhaps Israel?)
that can integrate all of these together. The Chinese
does have facial recog. but the west will not trust
them.
At the end of the day, the big question is :
Is worth it?
Is it for security of cutting off manpower
(AI will definitely be used in future in these
systems and u dont even need human to decide for
dubious cases)?
Is it for the govt.? (they had access to telco's mobile
phone, and uptodate photos and finger print database)
Or is it for the big bank / card companies to
squeez out the smaller rivals?
The future is horrifying, dont u agree?
@ Kevin Scardfield, after reading your comment about, 'Santander [...] insisting account holders who do not have mobiles must buy one', I have arrived at the opinion that SANTANDER must buy the phones.
All I can see happening is longer waiting times while waiting in checkout queues for auth codes, and people being re-issued with them because the time limit ran out.
@ Ashampoo Customer (top post), I agree. All of this tying accounts to mobiles is another ploy to get more user telemetry, and probably to make money movements more trackable. Criminals probably use dead people's details to get their phones.
One thing, Ashampoo Customer, you could of simply not used Gmail instead of buying a phone to use it. A domain name and cheap hosting (less than $20/per YEAR combined) may have been cheaper for you, and your host probably wouldn't have scanned your e-mail content. I don't think Google users can really complain about privacy concerns from another service when they are using services from the world's largest digital stalker.
Here is my take :
1. This is tne end of privacy as we know it
2. There is a conspiracy among all govt
telco, mobile phone makers, banks and
credit card co., etc.
3. The scheme is based on the mobile phone
(as oppoesed to the token then bank gave
u to gen.the secret code). A software probably
developed by some US tech firms in conjunction
with got spy agency and telco.
4. Can anyone tell me what is there to prevent
someone steal all your data in your phone
if u send it for repair, all your data is stored
in the phone, The repair man can even clone
the hard disk in your phone. If your phone
is lost, the one who pick it up can get somone
to decode it and use it as if he or she is u
5. How can we know your govt will not instruct
your telco to install a spy app. to monitor u?
6. All smart phones had GPS tracking, the sms text
were stored in telco, that can be xferred to your
govt for big data analysis.
7. Eve if u are a law abiding citizen, if u expressed
opinions which is contradictary to what your govt
dictates, they will immediately mobilise their
IT resources to track and monitor u, with adverse
onsequences.
These are the facts in my country:
1. One of my credit card co. has stopped sending
printed copy of stm, and asked me to go online to
view or op out. However, even if I want to opt out'
I had to register an account and guess what, I had
to provide my mobile no. for them to send me a code
to confirm.
2. The other bank's credit card charged a annual fee,
I am able to cancel it if I phone the bank to ask
for waiver. This year I had to got an online accunt
and my mobile no. so that they can send the code
for me to confirm
3. This seems to me a US software company' devious schem
to trap all of us into this. The card co. claimed
it is a govt. directive for cyber seccurty.
We all know what every facial recongition or finger
print all can be faked for the experienced hackcers
This is a big joke.
4. Dont believe anything the govt says it will respect
privacy and no history will be kept of your transacttions
My country operates a vehicle entry fee to the
central buz district during peack hr. U had to install\
a sensor in your car by the govt and in the gantry u will
be noted and the entry fee deducted from the cash
card in the sensor.
There was an failure of the system some years back
in that the fees were deducted excessively. The govt
apologised and then admit they did stored the data
for a perid of them and they can trace u and refund
u. There goes the assurance!
5. In my country there are hawker centres (cheap food
courts offerig rice with one meat and 2 veg at US$2
or less and other noddle, soup etc and cheap prices)
It was cash but now the govt is pushing cashless (meaning
mobile payment -not credit card), the excuse we want to be
a smart city and no cash needs to be carried.
The real reasons I suspect, is to tally how much
money the hawkers make each month and tax them
In fact the govt is pushing the e-payment scheme
to all other transactions.
6. The banks are phasing out ATM and chequebooks
(they charged a fee for the chequebook, and may
impose a fee on each cheque I issued in future I heared)
There is a company that seems to be a joint venture
of the local banks. But very little is known about
it and there are complains in the newspaper readers'
letters of now they are unresponsive to non-payment
and resolving of disputes.
7. I go to our govt eye centre 3 -4 times a year for
my cataract/glucoma follow up. My recent visit is
jolting me as the registration machine wants my
mobile phone no.
8. Our passports, access go govt services, govt clinics
now all require e-ID pass and u guess it, mobile phone
and one-time password.
9. I must not forget I had to purchase a mobile phone
a year ago as my gmail account wants a mobile no.
And Goggle has been pestering me to provide alternate
email address etc for security etc.
My in-law (A Hungarian) had the same adverse reaction
to mobile phone. He now relied on his wife who is
a slave to her phone for all contact with the soceity
10. To this end I must say at least the Chinese is
honest, they do not deny they are monitoring u
But every govt else do not admit that, they only
sy it is for your own good, it is cyber security
11. I wonder that is is like in your country?
Pls share with me,
Will the process of using a north American credit card for UK or European purchases be affected by this directive and how will Brexit affect the implementation ?
So the BIG saviour will be an APP on my phone, the MOST hacked and insecure device in the world.
This authentication process is already in operation in some U.S businesses. It sounds like a good idea in some ways but any additional authentication will need to be stored in computers, therefore still vulnerable. Ethics and larceny continues to play havoc. Cash may remain the best way to conduct business.
Lock's are for the honest people. Thieves will always find a way to pick them.
Already have it in place in Australia.
I tried to make a payment to a company yesterday but my card details were not recoqnised I tried diferent cards but no joy
Hi Sven,
My (UK) bank has implemented 2FA for logins.
As I am not in the UK right now, I don't have a UK mobile phone number, so my codes will get sent to e-mail. It's just more things for legitimate users to do, while criminals will no doubt find a one-click way to hack it in the future.
OMG! I tried logging in for the first time just now. Only 30 seconds from clicking to to get the code to entering it! That's not much time with a slow network connection. The first time was too slow. I had to re-input all of the credentials again.
I'm quite surprised by your statistics for Germany: all of my accounts in Germany are already operating the new secure TAN systems using a known device or SMS to registered number.
I have also seen the use of card payments in shops growing rapidly including (or more like especially) for small amounts as the banks are increasing the charges for withdrawing and depositing cash rapidly. Small business are affected badly if they have to withdraw or deposit a lot of small coins such that the card charge is becoming the cheaper option to handling cash.
Thank you for making these changes far more clear than my bank has managed! While receiving written stuff through the mail and odd emails that have been unclear, to say the least, at last, I'm starting to understand.
My only worry is that making a future payment(s) may be too difficult for my 80yo brain!
With the increase in illegal transactions its obvious a more 'strong' system is needed but at the same time consideration must be given to the less technically endowed when making a legal transaction.
The current system has 'worked' for many years and changes for the user must be a major consideration.
Bob Cartmell
Ohh. My God. Thanks for you information. My Country in Latin American . Guatemala City.
Santander are currently under investigation by The Financial Ombudsman and the Financial Conduct Authority after failing to comply with the rules and Age Discrimination after insisting account holders who do not have mobiles must buy one
They will get past in less than 3 months.