Written by Julia KowalskiPublic Policy, Stripe
Over the last decade, the European Union has significantly improved customer security for online transactions Second Payment Services Directive, or PSD2. This groundbreaking regulation has reduced fraud while allowing consumers to conduct their transactions more securely.
But there are also some blind spots that make operations difficult, according to the companies we work with. One of them is that PSD2 did not adequately differentiate between B2C (business-to-consumer payments) transactions, where stricter security measures were required, and B2B (business-to-business payments), where this was not necessary. differs. As a result, European companies were hampered by security protocols they didn’t need. Our report European Tech Voices has shown that the barriers to growth and scale remain high for the more than one million innovative European companies we support.
To what extent is it a problem? When people think of payments, they typically imagine consumer transactions, such as paying for dinner or buying a sofa, which PSD2 has been a big help with. However, the majority of payments are made between companies. Crossing global B2B payments 120 billion dollars annually, six times the value of payments to the consumer. Due to the size of this market, there is an urgent need for the European Union to clarify the rules on authenticating payments between companies.
Fortunately, the EU now has the opportunity to do this. The European Parliament and the EU member states are currently working on a successor law Directive 3 and the Payment Services Regulation, or PSD3/PSR. We encourage you to take this opportunity to differentiate between B2C and B2B transactions, retain key authentication protocols in consumer options when they make sense, and give businesses the ability to opt out of them in B2B transactions when they don’t is.
Incompatible security protocols
One of the most important elements of PSD2 was the introduction of greater customer security in online transactions strong client authentication (SCA). Consumers experience this as a two-step payment authentication, such as being asked to enter a PIN and SMS code to complete an online purchase. PSD2 and SCA have helped create a unified European payments market and spurred the rise of fintech startups.
But the SCA regulations were so broad that they also apply to companies and that has caused problems. Currently, European companies must follow exactly the same security protocols when processing online payments as their employees do when banking online at home.
That means more security than companies need, and that’s not enough. Many companies using Stripe have told us that SCA creates inefficiencies due to overcomplicated controls. At the same time, organizations that rely solely on SCA may be less protected than if they could follow existing, trusted enterprise authentication standards.
Companies have different security needs
The security protocols of large companies are already orders of magnitude higher than those for consumer payments. Even before PSD2 was passed, European companies were already using various corporate identity and security management measures, such as centralized single sign-on controls, hardware tokens or laptop certificates. And the effectiveness of the company’s security controls is regularly tested through practices such as scheduled audits.
Layering SCA on top of these exercises is like asking a runner to complete extra laps after a marathon. For this reason, we believe it is important that European regulators use DSP3 to clarify SCA requirements taking company size into account. Large organizations should have the flexibility to use their own risk assessments to decide whether to enable or disable various parts of SCA.
Aside from that, Authentication requirements should be checked under DSP3 so that the level of authentication is proportional to the risk of the activity carried out. Companies should be able to use different levels of authentication, where a payment-related action can trigger stronger authentication than simply spending time at a payment interface.
A good example of why that is It is important to re-authenticate in a payment panel after a period of inactivity. Companies using Stripe know this all too well, as they spend much of their day in the Stripe dashboard, sending invoices, managing tax obligations, managing billing relationships, reducing involuntary terminations, and tracking business metrics.
PSD2 SCA requirements require organizations to re-authenticate with the Stripe panel after five minutes of inactivity. It’s the type of regulation that makes sense to protect consumers, but doesn’t fit with how companies operate.
For example, it is not uncommon for companies to monitor their payments every 15 to 30 minutes on a high volume day. Or in another scenario, a business leader might be giving a live presentation or demo to an investor or customer, with active time on a dashboard interspersed with inactivity due to live discussions.
In both cases, SCA would force the dashboard user to re-authenticate multiple times with no apparent security benefit. Both activities take place in well-protected environments that remain safe even if the activity is interrupted. The risk of fraud is lower than in any comparable consumer scenario and the revised SCA requirements under PSD3 should take this into account.
An opportunity to improve regulations
Stripe’s mission is to increase the GDP of the Internet. To achieve this effectively, it is necessary to create a coordinated financial infrastructure with a well-designed regulatory framework for online payments. We therefore hope that the European Commission, the European Parliament and the EU Member States will take into account the important differences between B2B and B2C transactions when reviewing the DSP.
We are already encouraged to see that the European Parliament is proposing a mandate for the European Banking Authority (EBA) to take into account the type of payer – consumer or business – when developing its regulatory technical standards for SCA, together with the EBA’s final rules DSP3. EU member states should follow the example of the European Parliament and use DSP3 as an opportunity to improve authentication for Europe’s 27 million companies.