“A tsunami of change is happening in the payments industry right now,” explained Hannah Preston, a Solution Strategist for the Payment Security Division at CA Technologies. Change that makes the need to secure the digital payments ecosystem even more critical. And that, Preston asserts, is about addressing three separate but very related topics: authenticating the consumer, determining who get access to that consumer’s personal data, and making sure that both the access and data remains secure. That was the topic of a 45-minute conversation between Karen Webster and CA Technologies executives, Carol Alexander and Hannah Preston – who threw in a little dose of how a few new regulatory wrinkles fit, too.
Wading The ‘Technical Limbo’
This wave of change has left banks and issuers across the U.S. and Europe examining the various options that face them in order to connect the authentication, access and data dots, securely, while eliminating consumer friction when transacting. And in some ways, Preston and Alexander remarked, that has left them in a bit of a holding pattern in light of the regulatory requirements that PSD2 has imposed on access to their customers’ account data. “In some countries there’s even a sense of technical limbo while they await technical standards to be fleshed out,” Preston said, pointing toward one specific European regulation that’s creating a lot of conversation in the payments ecosystem: PSD2. At the crux of that issue, Preston said, is access to accounts. “[It’s about] infrastructure access to the more traditional card schemes where the cardholders can get direct access to merchants like Amazon or PISPs (payment initiative service providers) — and innovating the way in which people pay for things outside the traditional infrastructures that exist today,” she told Webster.
The new requirement, Webster suggested, raises new questions about who owns customer data and how that impacts – or not – the relationship that issuers have with their customers. Preston said that how the various players in the payments and financial services ecosystem navigate PSD2 and its requirements differs a bit depending on where they are in that ecosystem. “Issuers are responsible for authenticating customers’ transactions so they will be responsible for deciding how they want [access] to happen,” Preston explained, adding that passwords will no longer be compliant. She also remarked that it’s the customer who ultimately owns data and will give merchants or PISPs permission to access it on their behalf.