If you've ever purchased anything online, you're probably familiar with the box that appears with the words, 'Verified by Visa' or 'Mastercard SecureCode'. This little box is called a 3D Secure card payment, and it ensures that it's really you buying those train tickets or that waffle maker, and not someone with your card details who needs to get out of the country or has a serious craving for waffles.
When you see that box, your bank is having a quick look at your past transactions, and figuring out whether the purchase in question seems like something you'd buy. If they think it looks suspicious, you're asked to put in some additional information to confirm your identity, before they let the transaction go through.
With 3D Secure card payments, the bank can be sure that your purchase is legitimate - you avoid losing your money to hackers, and so does the bank. But if you are selling train tickets, waffle makers or literally anything else online, this system will soon be changing.
Why bother changing it? Why can't I just buy stuff in peace?
Banks, unsurprisingly, are really keen to stop fraudulent payments going through. Millions of pounds are lost to fraud, both on the side of the banks and for individuals; and every time a customer is swindled, its a race against time for the banks to get the money back.
With 3D Secure card payments, banks accept a certain amount of liability - if they let the purchase go through, and it turns out to be someone on the other side of the world stockpiling kitchen gadgets, they're likely to give you the money back. But banks are trying to make everything more secure, so even the most sophisticated hackers will have to admit defeat.
Which brings us to Strong Customer Authentication!
Strong Customer Authentication is a new way for banks to check that waffle maker purchase is legitimate. Don't be fooled by its really boring name - it's a significant change for both individuals and businesses. And from September 14th, 2019, it will be mandatory for online payments if your bank and the business’s payment provider are both in the European Economic Area (EEA).
For individuals, it means that when you try to buy your train tickets or kitchen gadgets you'll be asked for two of the following three things:
1. Something you know
This could be a password or a passphrase, or a security question like, 'What is your mother's maiden name?', 'What is the first album you bought?' or 'Which animal do you have tattooed on your lower back?'. It can't be any information that's on your card - not the card number, not the CVV code, nothing that a fraudster could have access to.
2. Something you have
This can be a hardware token (a physical device that can be used in the place of a password) or a mobile phone.
3. Something you are
This has to be a biometric - so a fingerprint, facial recognition or an iris scan. If you use ApplePay you'll already be familiar with this. We may not be flying to work on our high tech hover boards, but at least we can now buy a waffle maker with our face.
Something you know, something you have and something you are may sound like a weirdly intense riddle, but banks and businesses alike are hoping that this is going to make every online payment you make even more secure. Which is only going to be a good thing.
I take payments online! How am I supposed to verify a customer's fingerprints?
Don't worry, nobody is asking you to start scanning your customers' irises. If you take electronic payments, the first thing you need to do is check how your payment processor (WorldPay, SagePay, Stripe etc.) is going to handle this transition. Stripe, for example, is going to move everyone currently using 3D Secure to 3D Secure 2, which means they'll be handling all of the authentication.
If you're not sure who your payment processor is, speak to your IT support team. They should be able to get in touch with your payment processor and figure out what the plan is for processing payments when September 14th rolls around.
But we're leaving the EU in March...so is this even going to happen?
Strong Customer Authentication is an EU regulation. However, we must be prepared for this change. The government is currently planning to copy all EU laws into UK law, and this may be true of laws introduced after we leave the EU. Additionally, if you're selling anything to customers in Europe, you'll have to abide by these laws.
Still confused?
If you're feeling completely out of your depth with all this payment chat, or have no idea who your payment processor is, make sure you have a word with your IT support. They should be able to let you know what to do next, and how to prepare for the upcoming changes. Ultimately, Strong Customer Authentication is going to be beneficial to both businesses and consumers from a security perspective, even if it means we have to scan our irises from time to time.
Tweet us @TranscenditUK