Special Report
A special report is content that is edited and produced by the special reports unit within The Irish Times Content Studio. It is supported by advertisers who may contribute to the report but do not have editorial control.

Balancing security and ease-of-use the key to digital payments

Two-factor authentication will see users complete two steps to confirm their identity

Even as security authentication becomes more automated, it does not detract from our responsibilities to keep our passwords and codes   safe
Even as security authentication becomes more automated, it does not detract from our responsibilities to keep our passwords and codes safe

The debate over how to balance the need for security in the fast-growing digital payments industry while keeping the end-user experience as seamless as possible has intensified in recent times.

Striking a balance between the needs for security and convenience remains a challenge, but many in the payments industry believe that the EU’s new Payments Service Directive 2 or (PSD2), due to come into force next year, could shift the balance in favour of security in a way that could hit revenues.

Eric Hogan, country manager of merchant services firm Elavon, said: "One of the more contentious requirements is two-factor authentication for ecommerce transactions."

This is being proposed by the European Banking Authority in response to the new directive, which states that there must be "strong customer authentication" in the form of additional confirmation steps, such as entering passwords, one-time codes or using a physical card reader. As the term implies, two-factor authentication will demand that users complete at least two steps to confirm their identity before making a transaction.

READ MORE

“Ecommerce businesses complain about abandonment as a result of that being in the checkout process, so there’s a debate raging between security and the customer experience.”

Online shopping cart abandonment rates globally are reported to be as high as 70 per cent, so it is easy to appreciate the concern that the new rules could push that rate up in Europe.

Standard

The industry view, said Hogan, is that the European Commission didn't give it enough consideration to alternative single-factor authentication processes that it believes are just as secure.

Ruth McCarthy, chief executive of FEXCO Corporate Payments, said that with two-factor authentication becoming the standard, the “challenge at the moment for ecommerce providers with card-not-present is trying to figure out what their two-factor authentication is going to be”.

FEXCO is signed up to ISO 27001, a popular standard for internet security that already includes a mandate for two-factor authentication. Nonetheless, for the firm and many of its FX competitors the demand for two-factor authentication across the entire payments industry, including banks, has created a usability problem.

“It’s a really big issue for us because when our customers book their transactions with us, they use two-factor authentication to verify those transactions, but then in addition they will have to go into their bank account, go through a similar two-factor authentication to send off the funds so that we can do the onboard transfer for them.

“So customers, essentially, are going through two-factor authentication twice – once with us and once with the bank, in order to do the transaction. We’re hoping that by the time PSD2 is fully implemented, customers won’t have that inconvenience.”

Password

One emerging option for more automated two-factor authentication is to hone in on your IP address. “So you authenticate by tapping in your password, and then in addition to that the fact that you are logging from a specific PC – that is the second form of authentication. That’s becoming more popular now as people are working much more flexibly.”

Richard Morrissey, associate director of FX services firm Moneycorp, says that even as the digital payments industry continues to attract new players, security will always be crucial.

“It’s a much bigger and broader industry, so when you use the term security now a lot of these companies are technology companies, so whatever platform you use to integrate with the new payments world, security will be a very, very important part of that.”

He cites blockchain technology as one example of how these firms are shaping the security environment.

The technology started out as the platform for the virtual currency Bitcoin, and is essentially a public digital ledger on to which transactions are anonymously recorded across many different users. The selling point of blockchain is that it is nearly impossible to tamper or delete information or transactions that have been added to the chain, not to mention that it is very easy to trace, and it is now being embraced by the payments industry.

"When you see the big six accountancy firms in the world are embracing it and consultancy firms like Accenture are looking into it, the reality of it is that this is something that is happening and you can't stop it. I would watch that space."

Blockchain platform

Late last year Irish agri-food co-op Ornua was the first company to make a global trade transaction with the help of Barclays bank using a blockchain platform.

The very recent launch in Ireland of Apple Pay, a "mobile wallet", is another example of how mobile technologies are moving the security game on, according to Karl McDermott, head of IT at Three Ireland. As well as the fact that it uses fingerprint authentication, both it and Android Pay don't hold credit card or debit card details on the phone. Instead, a "tokenisation" system is used whereby the customer's card details are kept secure elsewhere.

In general, however, “biometrics seem to be the direction it’s going in, and that includes facial recognition – that’s coming down the road but it’s not quite there yet”, he said.

Yet McCarthy notes how a trial of facial recognition authentication by a bank in the Netherlands had to be rolled back because customers didn’t like it.

“We should not underestimate the ‘creep factor’ of biometrics. Over time people will likely become more comfortable with this kind of verification, but it has the potential to feel invasive.”

Even as security authentication becomes more automated, it doesn’t detract from our responsibilities to keep our passwords and codes and other sensitive details safe.

“One of the biggest security issues across any technology or application anywhere is end-user behaviour. So, you still have to act responsibly and be aware of what you’re doing,” said McDermott.

Digital wallets and mobile money

On "Black Friday" last December online shoppers in the US made $1.2 billion of purchases via their phones and tablet, marking the first billion-dollar mobile shopping day in US history, according to estimates from Adobe. This is nearly a third of $3.34 billion in total online sales made that day.

So, the potential of digital wallets and mobile money is clear, and something that Apple and Google are hoping to exploit with the respective launches of Apple Pay and Android Pay.

However, Apple Pay has been available in the US for about two years now, says Hogan, but the take-up was a little underwhelming.

“In my view it’s certainly a major milestone in mobile wallets, and in using biometrics to authenticate a transaction, but it still hasn’t taken the world by storm, put it that way.

“It surprised me, but then the contactless card took four or five years to take off, and we don’t have a terrible user experience in the payments business. Chip and pin really isn’t all that bad.”

Just getting folks to give it a go is usually the trick. “Just like contactless cards, as soon as somebody did one or two transactions, then they were hooked.

“It’s like the adoption of any new technology, it’s really just about get one or two transactions done, be happy with the experience, be happy with the security, be confident etc.”