Payment service providers in the 28-member European Union are working toward an August deadline to implement two-factor authentication for online payments.
The European Banking Authority issued final guidelines in December setting minimum security requirements for implementation. The guidelines define “strong customer authentication” as two or more elements including something you know, something you possess — phone or token — and something the user is, such as a biometric.
“In today’s day and age, ‘something you know’ can most likely be discovered by others,” says Thorston Trapp, CTO at tyntec, a mobile company. “Biometric data is great to identify a person, but has usability problems when it comes to mobile environment and issues related to data protection and privacy – which varies depending on where you are. That’s why phone-based authentication is emerging as the industry standard.”
A jump in fraud – a 21% increase in fraud between 2011 and 2012 – triggered the Banking Authority directives. The mandate also stemmed from EU-wide minimum requirements for more secure Internet payments and the standardization of online security. Payment service providers will also need to provide data protection and user education.
“Third party authentication solutions like one-time passcode text messages – an out-of-band two-factor authentication – meet the security requirements of strong customer authentication and are user friendly, universally accessible, simple to deploy, and cost effective,” Trapp says.
Trapp says it’s hard to know the impact of this move on payments in the US, where cyber security is evolving. But the rising business costs tied to breaches might support the argument for the US to follow the EU’s lead.