From vein recognition to the way people write, the European Banking Authority has revealed some odd ways customers can prove their identities under the new SCA rules.
By September 14, companies receiving digital payments must double down on their efforts to make clients prove that they are who they say they are.
This is part of the EU’s Revised Payment Service Directive (PSD2) new strong customer authentication (SCA) rules. The rules will force companies to make customers buying things electronically to prove their identity with two out of three ways.
These three authentication methods are things they know such as passwords or PIN codes, something that they own like a smartphone or a credit card and, thirdly, something that they are.
This last part usually refers to biometrics like fingerprints. However, an opinion piece from the European Banking Authority (EBA), offers some alternative ways that merchants can use to verify clients’ identities.
Given many businesses have expressed concerns about a drop in payments once the SCA rules snap into place on September 14, we wanted to share some of the ways to identify customers the EBA would approve.
In the article, the authority stated, “The EBA is of the view that inherence, which includes biological and behavioural biometrics, relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these.”
If you’re unsure what that means, the EBA offers a list of suggestions about what constitutes as something the customer is.
For instance, it would accept retina and iris scans as proof. Another approved method would be to scan fingerprints, which many top smartphones can do these days.
Similarly, iPhone users can scan their faces to open their phones. A similar facial scan would be accepted by the EBA as a way for customers to prove who they are.
The EBA would also accept vein recognition and hand geometry as ways to identify customers. Moreover, people paying for stuff electronically would also be allowed to prove themselves with their voices and by their heart rate.
The authority would also accept software recognizing the unique ways in which people type on their keyboard or how they hold their devices as approved methods of identifying them.
The cybersecurity TWOSENSE.AI is using a similar method to determine that users are who they say they are by learning to recognize users’ behaviours. The company was one of the 15 cybersecurity companies selected for the Fall 2019 batch from the Plug and Play accelerator.
With all this being said, the EBA also noted that these methods of identifying customers are only accepted “provided that the implemented approaches provide a ‘very low probability of an unauthorised party being authenticated as the payer’, in accordance with Article 8 of the RTS on SCA and CSC. 20.”
Copyright © 2018 RegTech Analyst