Today, more and more customers expect a fully digital and seamless banking experience across all channels. At the same time, regulations such as GDPR and PSD2 are placing far more importance on data protection and security than ever before, ensuring it’s now a top priority for banks and financial institutions. Frederik Mennes, Director of Product Security, Security Competence Center at OneSpan explains how to achieve both compliance and customer experience at the same time.
Balancing the two can be a challenge for banks, who can’t afford to compromise on either. Customers want to feel confident their sensitive personal and financial data is protected from fraud and cyber-criminals, but at the same time, they don’t want to go through seemingly frustrating, unnecessary hurdles.
So how can banks and financial institutions fulfil key requirements of PSD2 while still offering secure, exceptional customer experiences?
Real-time risk analysis
PSD2 mandates the use of transaction monitoring to deter fraudulent payments and prevent threats like account takeover, new account fraud, and mobile fraud.
Mobile and application data can be analyzed in real-time using machine learning-powered risk analytics tools, to detect known and emerging fraud types in the relevant channels. This analysis produces a transaction risk score, which can then drive intelligent workflows that trigger immediate action based on pre-defined and/or customer-defined security policies and rules.
By taking into account a number of risk-based factors, including known fraud scenarios, malware infection detection and the transaction amount, risk analysis tools can enable banks to achieve compliance, better protect their customers and reduce costs, without harming the overall customer experience.
Banking customers are increasingly moving into the mobile channel, and this is a trend that’s become exacerbated since lockdown measures have been introduced across the globe. Recognizing this, where an authentication factor relies on a mobile device, PSD2 mandates the use of countermeasures in apps to prevent the replication of an authentication factor. Furthermore, PSD2 also requires payment providers to ensure that the breach of one authentication factor does not compromise another factor, which is of particular concern for mobile devices, which may handle multiple factors.
Application shielding is one-way banks can ensure they’re meeting these requirements, as the technology protects apps from the inside out and strengthens their resistance to threats such as intrusion, tampering, reverse-engineering and malware.
This mitigates the risk of apps operating in untrusted and potentially hostile environments without interrupting the user experience.
Transaction data signing
Another key requirement of PSD2 is dynamic linking, which protects against man-in-the-middle attacks. These occur when a cybercriminal is able to intercept communications between a customer’s device and the banking server. They are then able to alter details of transactions without the customer ever noticing it. A normal transaction of 100 pounds could be changed to 1,000 pounds by a malicious actor.
Dynamic linking requires a payer to authenticate the transaction data they’ve inputted, such as the amount and the intended payee, and confirm that it’s correct. An authentication code is then generated that links to the transaction data, so that any change in transaction details would invalidate the code.
Second, the confidentiality and integrity of the transaction data needs to be protected throughout the authentication process, so a bad actor cannot intercept and alter the details. This ensures the authentication code is generated based on authentic transaction details.
Finally, the customer needs to be aware of the transaction data they are asked to authenticate. This means that the transaction data needs to be presented to the customer at the time of authorization.
Cronto technology is one way that banks and FIs can meet dynamic linking requirements without compromising on the customer experience. It’s available through a mobile app on a trusted second device, and presents the authentication code linked to the transaction data as a colour QR-like image.
Only the bank is able to generate this code and it can only be decrypted by the user’s mobile device. This unique approach to transaction verification simplifies the experience because it reduces the user interaction required to authenticate a transaction – customers simply point their phone at the screen to scan the image and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers.
When it comes to delivering a secure and compliant banking experience, intelligent authentication is vital. Intelligent authentication assesses the risk level of a transaction based on data from a variety of channels and sources, including transaction information, geolocation, device integrity and more. Based on this data, it determines the precise level of authentication required for the situation.
Intelligent authentication also provides a way for banks and FIs to fulfil the Strong Customer Authentication (SCA) requirements of PSD2, which requires authentication to be based on two or more of the following factors: knowledge (e.g. passwords or PINs), possession (e.g. tokens or mobile devices), and inherence (e.g. biometrics).
Exceptions to SCA are permitted for low-risk transactions, so intelligent authentication which adapts the authentication steps depending on risk level can result in a more convenient user experience. It ensures that customers aren’t limited to an inconvenient authentication method (e.g. receiving an SMS when they don’t have mobile signal) and enforces the right level of authentication for each individual situation.
Ensuring security is no easy task in today’s threat landscape, and the challenge is growing as more people move towards digital banking. But, with the right technology infrastructure in place, banks can ensure compliance with PSD2 regulations, without compromising on security or experience.