SCA: More security at the expense of user friendliness?
Strong customer authentication (SCA) is presenting major challenges for the corporate payment sector. AirPlus is taking its own approach to offer its customers the very highest security standards and maximum comfort and convenience.
Booking airline and train tickets with just a few clicks, ordering a rental car or hotel room at the press of a button: These days, digital solutions make countless processes in business travel management easier.
However, especially in the case of online payments, it is increasingly difficult to strike a balance between user friendliness and security. In a report published in September 2018, the European Central Bank estimated the harm caused by abuse of payment cards issued in the SEPA area at 1.8 billion euros. Seventy-three percent involved “card not present” transactions, the vast majority cases of abuse occurring during online purchases.
New rules for payment services
It was with all this in mind that the EU legislature adopted the new Payment Services Directive (PSD2), which was transposed into law in Germany as of January 13, 2018. The directive is now in the second stage of implementation, with stricter rules for identifying payers having come into force on September 14, 2019, among other changes. This involves what is known as strong customer authentication (SCA). The goal is to make an important contribution to the security of electronic payment transactions by ensuring that the party initiating the electronic payment is in fact authorised to do so.
Two-factor authentication
For authentication, SCA requires at least two out of three factors: knowledge, possession, and identity. The factor of knowledge is covered by a password or PIN, for example, either of which is only known by the account or cardholder. A token or smartphone can be used for the possession factor. A code or verification message is used as proof in these cases. The last possible factor, identity, requires identification through biometric data. In these cases, the user authenticates him- or herself on a smartphone, for example, using a fingerprint, facial recognition, or iris scan.
Challenges in the corporate payment sector
In the corporate payment sector, the need for two-factor authentication like the systems that have already been in place in consumer-facing areas for some time now is a particular challenge, though. “This kind of authentication for every single payment process can under circumstances cause difficulties, especially if there are multiple users accessing a central payment and settlement solution,” says Paul Spelman, MD of AirPlus International UK. “But our focus is always on the customer. And fast, simple transaction processes are crucial to customers.”
AirPlus products are highly secure
The good news is that AirPlus has received official confirmation that no changes are needed at this time for any of the purely digital AirPlus products. “We’ve made every effort to make things as easy as possible for our customers, now and in the future. But these kinds of exemptions are fairly rare, as they require extensive documentation regarding all dedicated processes and protocols, along with proof of compliance with very high security standards. That’s why we’re really happy to have received recognition for the superior quality of our products,” Spelman continues. No adjustments at all are needed for the AirPlus Company Account, or the AirPlus Merchant Agreement. Both feature high levels of security. What does that mean to customers? “All payment processes will continue as usual.” That also applies to users of the AirPlus Virtual Cards. “This means we are saving our customers a lot of additional time and effort without making any sacrifices in terms of security,” .
Keeping cell phone numbers and security questions up to date
For those who make online payments using AirPlus Corporate Cards, it’s important to save a mobile phone number on the AirPlus Portal as soon as possible if they do not yet participate in the 3D Secure process. Effective September 14, 2019, 3D Secure requires users to enter a TAN (Transaction Authentication Number) sent as a text message. Important: Users should always keep their cell phone number and security question up to date to prevent any complications when making credit card payments.
Still, AirPlus is also looking ahead. A user-friendly biometric solution is already in the works as well. The company plans to offer this solution in the near future as an alternative to a combination of the 3D secure process and security question.
New IT platform under development
“To be able to offer our customers the best possible products with the best possible service now and in the future, we are also investing into an innovative IT platform,” Spelman says, looking down the road. AirPlus Virtual Cards are among the first products to shift to the new system. “We are focusing on quality with these activities. That means security is still our top priority and additionally we are making great efforts to ensure user friendliness – just as our customers have come to expect from AirPlus.”