-Brett McDowell, Executive Director
In a first example of many where the FIDO Alliance is going to be engaging policy makers on the topic of authentication, we submitted comments to the European Banking Authority (EBA) on their Discussion Paper on future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (“Discussion Paper”) under the revised Payment Services Directive (PSD2), whose public comment period closed yesterday.
For background, the EBA has been tasked with developing a regulatory technical standard for strong consumer authentication for payment service providers across Europe, as required by PSD2. Generally speaking, the standards are meant to define the requirements for strong authentication for access to online payment accounts, making electronic payment transactions and/or enabling third party access to payment accounts at consumers’ request. The EBA issued a discussion paper in December to collect external input into the process before launching its standards development effort.
In the FIDO Alliance response to the EBA, we detail how FIDO-compliant implementations that follow security best practices are ideal examples of what the EBA regulations for “strong customer authentication” under PSD2 are striving to foster: simpler, stronger authentication capabilities that merchants and consumers will adopt at scale. We also go one step further and describe how the EBA’s acceptance of FIDO’s public key cryptographic architecture, especially when combined with on-device biometrics, will reduce the vulnerability surface of their payment service providers — and presumably also reduce online fraud rates as a result — and accelerate overall online payment volume through reduced friction in the user experience.
We are encouraged that the EBA has taken an inclusive approach and invited stakeholders in the payments market to provide input into the development of their regulatory requirements. As a global industry consortium of more than 250 organizations, many of whom are regulated payment service providers and/or financial institutions, the FIDO Alliance has a unique understanding of the challenges industry and government face in balancing strong consumer demand for easy-to-use solutions with necessary security controls. This is particularly true when it comes to keeping transactions easy and secure on a mobile device.
We look forward to any opportunity to have further engagement with the EBA on the topic of strong customer authentication, and how FIDO specifications play an important role in the specific requirements EBA puts forward at the end of this process. As we get more inquiries from policymakers and regulators curious about FIDO, we’re also looking forward to engaging in more meaningful discussion on authentication with policymakers around the world. If you are a policy maker working on authentication requirements and you would like to request a briefing from the FIDO Alliance, please contact us.