Strong Customer Authentication
Options
Comments
-
Personally I don't think it's unreasonable to expect the regulator to regulate!There are numerous areas in the UK where a mobile telephone signal is unavailable. My brother-in-law lives about 20 miles NE of Taunton: To get a signal, he has to go to the end of the garden. A couple of years ago, my wife and I holidayed in West Cornwall: She needed to drive 5 miles to get a signal. Rather than ranting, we need to organise a co-ordinated push on the banks to provide alternative options.
The FCA's approach document clearly states:
so it'll be revealing to see the extent to which they enforce this....20.21 We encourage firms to consider the impact of strong customer authentication solutions on different groups of customers, in particular those with protected characteristics, as part of the design process. Additionally, it may be necessary for a PSP to provide different methods of authentication, to comply with their obligation to apply strong customer authentication in line with regulation 100 of the PSRs 2017. For example, not all payment service users will possess a mobile phone or smart phone and payments may be made in areas without mobile phone reception. PSPs must provide a viable means to strongly authenticate customers in these situations.0 -
Thanks for that. It does work.0
-
Firstly, thanks for the information. It worked.
An update:- Just over 2 weeks ago, I raised the question of people without mobile 'phones \ areas with little or no coverage etc. with the Nationwide. Today, I am pleased to find they have changed their rules and will send a one-time passcode by e-mail.
I am also in contact with HSBC about the problem. After offering to buy me a cheap PAYG mobile, which I refused, they did say they were aware many customers had problems with the suggested solution and were looking into it. I don't understand their problem because access to their online system involves the use of a 'secure key' which generates a one time key....0 -
-
The problem is that the card payment verification system is run by Visa and Mastercard, not individual banks.
The Visa and Mastercard systems (VBV and SecureCode respectively) do seem to delegate to the banks for the implementation of the actual authentication step though.
For example, today I made a payment with my Transferwise card which required SecureCode authentication - I validated it using the Transferwise phone app.
Other banks implement this using an OTP and some do it (or at least did) using a card reader - Smile did that when I was with them.
So while I'm not an expert, I think a bank could make a secure key generator the basis of its VBV / 3DSecure authentication if it chose to.0 -
Interesting. All the banks I have dealt with have gone to SMS, even though none of them use SMS for any other authentication, so would have needed to develop a new system to support it. Unless there is a detault system provided, that the banks are at liberty to replace with their own, but have instead chosen the path of least resistance.londoninvestor wrote: »For example, today I made a payment with my Transferwise card which required 3DSecure authentication - I validated it using the Transferwise phone app.
Other banks implement this using an OTP and some do it (or at least did) using a card reader - Smile did that when I was with them.
So while I'm not an expert, I think a bank could make a secure key generator the basis of its VBV / 3DSecure authentication if it chose to.0 -
IUnless there is a detault system provided, that the banks are at liberty to replace with their own, but have instead chosen the path of least resistance.
Good point - possibly, or possibly a third-party vendor is selling an off-the-shelf SMS implementation that most banks have gone for?0 -
What the regulations say is that authentication must consist of two out of three factors:-
1) Something you are - proved by a biometric like a fingerprint or an optic scan;
2) Something you know, like a password or some personal data unlikely to be guessable;
3) Something you have in your posession. A card reader, a secure key, a 'grid card', a one-time password sent to your e-mail address or, even, a mobile telephone.
Within the constraints, financial institutions have opted for what they thought was the easy option and gone for one-time passwords sent to mobiles. According to the research published by the Payments Industry Intelligence organisation at the end of January 2019, nearly 40% of bank customers said they were unwilling to provide a mobile number. Verified by Visa and SecureCode have only to ensure the rules are being obeyed; they do not dictate the mechanisms.0
This discussion has been closed.
Categories
- All Categories
- 343.3K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 248K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards