PSD2: What European bank customers need to know
Have you heard of PSD2? No? No biggie, many companies seem to be feeling the same way! That's surprising since PSD2 stands for the European Commission's latest payment services directive and will govern all credit and debit card related payment transactions above €30. Third-party payment providers like PayPal are also affected. PSD2 will come into full effect on September 14, 2019 and will usher in a new era of credit card payments. After that, the information usually given on the back of the card (owner, credit card number and security code) will no longer suffice to authorize transactions, making successful credit card theft considerably harder. But, although only a few days away, both credit card companies and banks are currently struggling hard to implement the directive.
Cashless payments, though they have been technically available for quite a long time, are still anything but commonplace in many countries. For instance, while credit cards are the default payment option in the US or Iceland (even for harbor tours), in Germany, only every 57th purchase is paid for in this way. Still, credit cards play an ever more important role in international transactions and as surety for hotel and rental car reservations. In 2015, the European Parliament updated their 2007 Payment Services Directive, upping the security checks to combat identify theft among other things.
To make a long story short, things are going to get more dynamic! PSD2 requires "strong customer authentication" (SCA) based on "dynamic linking". All transactions have to be authenticated using at least two of three factors (two-factor authentication):
1. Knowledge exclusive to the customer. This can be a password, a (dynamically generated) PIN or the answer to a security question, but not a card number or expiry date.
2. Access to a pre-authorized device, e.g. a cellphone registered with the bank.
3. A biometric feature inherent to the customer, e.g. a fingerprint.
Based on the above factors, a unique authentication code will then be generated for the specific amount and recipient.
It seems, cellphones plus dedicated apps will be the way to go for future online payments. Naturally, this directive does not apply outside the EU (yet), but consumer rights groups are already at the ready to launch similar initiatives in their countries, should the directive be a success. After all, the billions of cases of online fraud every year are not exclusive to the EU. At present, companies in several countries are struggling with the technical implementation, prompting Austria, France, Germany, Great Britain and Italy to consider 18-month grace periods to avoid financial chaos. It's not like EU countries had four years to implement a system that has been in use at Google and others for many years, as cynics love to point out, right? What's even more puzzling is that even billion-dollar credit card companies are failing to set up a working system on time. With September 14 only a few days away, concerned customers are plenty but proper info material and compatible apps are almost nowhere to be found.
So what about my bank, the name of which I choose not to disclose for the sake of fairness? They're in panic mode! It appears, four years were not enough to make the necessary changes, and my most recent knowledge is that their complaints department is receiving 1,500 complaints per hour. Naturally, their app is no longer working and technical issues are stacking up. Their login page was offline for hours, all banking software was locked out and accounts were suspended. The separation between private and business customers also went up in smoke, since the bank was unable to process different "personal identities". Eventually, their hotline threw in the towel and activated a voice box. The message? "We are aware of the issues and are working hard to fix them. Thank you for calling and have a nice day."
Of course, as with all directives, there are a few exemptions. For example, remote electronic payment transactions of low value will not be affected, but a single transaction cannot exceed €30 and the total amount of transactions cannot exceed €100 or 5 consecutive transactions without authentication. Banks can also deem individual transactions secure and skip the authentication process, e.g. for regular payments. Furthermore, banks can rate online stores as generally trustworthy, an option most likely quickly sought out by Amazon, eBay and other big players. As for my bank: I doubt they'll be compatible with PSD2 any time soon. Despite presenting themselves as more cutting-edge than Tesla in their ads, financial institutes usually take their sweet time to catch up with modern technological developments.
What I would like to know: Do think the efforts are justified or will criminals quickly find ways to circumvent this new security barrier? For non-Europeans: Would you like to see a similar authentication process in your country?
