All posts by Sarah Rutherford

When the exact nature of the law is still being decided and the consequences of PSD2 are still unclear, where should you start?

PSD2 means an unprecedented degree of change, and to cope successfully you need tools that can adapt - a strength of machine learning.

As I discussed in a previous blog, consumers have not been extensively educated on the impact that PSD2 will have on them. Many of the outcomes of PSD2 will be positive – the Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) will give people access to a range of new services that will help them to manage their money better and give them more flexibility in the payment providers they use. However, the fraud prevention measures that form an integral part of PSD2 will have a knock-on effect for consumers. In some instances, security checks will make initiating a payment more difficult and irritating. Sometimes the checks may even stop it. Poor Customer Management will Impact the Bottom Line We already know that introducing friction into customer transactions is viewed negatively. Many organisations consider losses to abandoned transactions as important or more important as losses to fraud. PSD2... [Read More]

Worried about increasing levels of fraud, particularly in remote payments, the regulators have made fraud prevention a cornerstone of PSD2. The regulated use of Strong Customer Authentication (SCA) by payment service providers (PSPs) to secure payments is laid out in the Regulatory Technical Standards for PSD2. However, the use of SCA to secure every payment over €30 could cause problems for PSPs. It could impact the level of customer service they can offer by forcing them to add friction to the consumers’ payment process, forcing consumers to re-authenticate themselves using multiple factors at the point of payment. There is a difficult balancing act between fraud reduction and customer experience. PSPs will be allowed to manage this balance by securing payments using transaction risk analysis (TRA) – as long as they can keep their fraud rates low enough (see the transaction value table from the regulatory technical standard, below). TRA is... [Read More]

It’s not unusual for EU Directives to arrive with a whole host of acronyms and terminology, and PSD2 is no exception. From AISP to XS2A there are some new terms, some terms that have a new meaning in this context, and some established payment terms it’s always worth having a reminder about. When I couldn’t find a glossary to help me understand the terminology, I decided to create one. Or the 50 PSD2 terms, here are my 3 favorites: ASPSP – Account Servicing Payment Service Provider — a tongue-twister to rival Sister Suzie and her shirt-sewing shenanigans! An ASPSP is a Payment Service Provider (PSP) such as a bank or card issuer that provides authorised access to bank account information. For PSD2 they are allowing API access to bank account data for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). This makes my top three as I can’t... [Read More]

PSD2 is on its way but in many respects it feels like it will never happen. So much is still undefined; it’s not yet transposed into national law, the complete Regulatory Technical Standards are not issued and much is still open to interpretation. Given this uncertainty, it is not unreasonable to take a wait and see attitude to preparation – after all it’s likely to be more than a year before you will be expected to apply PSD2 to your payment operations. A laissez faire attitude to preparing your fraud operations for PSD2 may however be a bad move. NOW is the right time to get ready. Read our executive brief Getting Your Fraud Operations Ready for PSD2 so that you can understand the three reasons why you should act now: You will want to secure payments with Transaction Risk Analysis – but that will bring fraud challenges. You will... [Read More]

Data breaches are in the news on an almost daily basis and telecom companies are not immune to attack – indeed, cyber-attacks have led to the loss of almost 50 million customer records in the past 10 years. For telecom businesses it’s not only the frequency and number of records that are breached that is of concern, it’s also the type of data that can be lost. Telecom companies are guardians of a rich set of customer data, including financial information. They also hold a valuable set of behavioural data about their customers based on how they use their services. This rich data set is a honey pot for cybercriminals – particularly those using data to fuel identity theft. We included telecommunications providers in the cybersecurity survey carried out on our behalf by independent research company Ovum. What did we find? A full assessment of our findings for the Telco industry... [Read More]

When it comes to cybersecurity, crooks need a way into our businesses and often someone gives it to them – mostly unintentionally. An understanding of who the unwitting accomplices are will help IT security to protect the organization. In a recent survey conducted for us by research company Ovum, we asked senior security executives which employees or third parties posed the highest cybersecurity risk to their firm. Although 77% of respondents said that their employees have sufficient information on how they can contribute to prevent breaches, internal staff were still perceived to present the biggest threat to cybersecurity. Interestingly, most respondents saw the highest risk as coming from their internal IT function – they highlighted their own departments as the weak link. While most do think they have educated employees well, we had many comments regarding the need for further education programmes. The need to secure employees devices, particularly in... [Read More]

We recently commissioned a study from independent research company Ovum on how organizations are tackling cybersecurity and what they plan to do next. Losses because of a data breach or other cyberattack can be severe, particularly when factors such as customer and shareholder confidence are taken into account. We therefore expected that cyber risk insurance would be an increasingly important way in which organizations are mitigating their risk. The results were far from uniform: The UK was the most insured country we surveyed, with 69% of respondents holding some kind of insurance, and the USA was the least insured – only 51% of US respondents had any kind of cyber risk insurance. Across the industries surveyed, financial services firms were the most likely to be insured (71%), and healthcare the least likely (26 percent). Even when businesses have invested in cyber risk insurance, it’s unlikely to cover them for all... [Read More]

A recent survey carried out on our behalf by research company Ovum found that 48% of organizations think that in a year’s time, an assessment of their cybersecurity will show improvement. Only 3% think that their cybersecurity position will have worsened. Most companies also think they are doing well compared to their competitors; a mere 6% think their cybersecurity is below average and 54% think they’re above average or a top performer. This is statistically unlikely. It seems that many are taking an optimistic view of their cybersecurity. Could a lack of objective measurement be to blame? Here’s what our survey participants said: It is encouraging to see that 94% carry out some form of assessment. However, consideration must be given as to how objective the methods used are. 38% of respondents say they self-assess based on their own criteria, this is the largest and possibly the most worrying category.... [Read More]