Skip to content

PSD2 Carries Over to the U.S. – Via the Phone in Your Hand

Mobile phone security

Let me ask you a favor. Could you put down your phone for just a minute? Unless, of course, you’re reading this on your mobile device.

It can be an uphill battle asking someone to put down their phone these days. I have a tween, so I know the struggle! One of the reasons we’re so reticent to do so is the sheer power contained within these devices. At this point, it controls the music, the temperature, the locks and even the lighting in your home, and that’s not even touching on its entertainment value, or its capabilities as a payment device. The device, in its present form, has been around for ten years now, and in 2017, it’s safe to say there’s no going back.

We’ve gained a device of amazing potential. All that’s left now is get to Lotus Land and to enjoy our perfect utopia, right? Not so fast! Take a peek behind the scenes and, as usual, we start to see some disputes have trickled in; wrinkles in our perfect plan where fraud has found a foothold and exploited the gap. All it took was a little time and inconsistency in implementation.

As usual, the point that fraud integrated itself into this new payment stream was rapid and caught many by surprise. It seems that there was no initial ‘gold standard’ best practice in the USA for the setup of third-party applications in the device, a product of the enrollment process being unique and the requirements thin, given the novelty of the channel.

If our device experienced an error or a breach, from any number of potential failure points such as payment credentials, contact and demographic information, anomaly detection or authentication, the potential impact could be disastrous. Coffee purchase apps become vessels for money laundering, ride-hailing services take fraudulent “test” cards for a spin, while other apps allow bad guys to swipe goods from virtual shelves and stuff them into the pocket where their physical wallet used to be.

In no time at all, our payments paradise has become the Wild West, all because some P2P money-moving services gave little or no regard to their potential for abuse by malicious third parties. The USA gave the collective internet shrug on the topic: ¯\_(ツ)_/¯

A new roadmap?

Enter the revised Payment Service Directive (PSD2), or as I like to call it, the new roadmap. This European standard contains requirements that form a standard baseline for data security and a set of policies to ensure that all players in the space keep it clean and secure. Its mandate includes authentication, fraud detection – and new acronyms/labels for the players.

This device-based disruption, which certainly shakes things up for European banks, will create winners and losers among payment service stakeholders. Make no mistake though, this will unify Europe’s payments market while making significant efforts to secure it as well. Residual benefits include greater efficiency, better-informed consumers and a more loyal and confident customer base that is willing to adopt these technologies.

While many countries continue to abide by username and password combinations, this PSD2 ‘Eurail’ train will continue full-steam ahead, promising a plethora of effective and balanced controls for the next generation’s payments landscape. As future parties in the EU open this Pandora’s box, they will receive the benefit of mandated, integrated security that is respectful of both the device and application.

The upside here is less shrugging and more scaling. Our faith in digital payments is keeping us firmly planted in the seat while our device – as innovative as it ever was – continues to fascinate us with the convenience it manifests. These benefits will continue to ensure we keep our devices close at-hand, so good luck putting yours down anytime soon. All we need now is for the USA to follow suit.