To succeed in data management requires trust and transparency. Priviti meets and exceeds the "Strong Customer Authentication" requirements of PSD2 & GDPR, enabling both customers and staff to be confident that personal data will be safe. This is a filler sentence just designed to equal the length of each box so that there's no additional colour
Customers want systems that are simple and easy to use. Organisations must therefore balance convenience with security to ensure that payments are secure but straightforward for both customers and staff. Priviti and its global technology partners offer features and tools that reduce the effort required to implement and integrate innovative secure solutions.
As with simplicity - consumers expect flexibility & robustness. Priviti’s design allows organisations to easily incorporate security into their own platforms. Its ‘easy access’ ensures that consumer experience is frictionless but still highly secure. Banks and merchants, online and offline, can use Priviti to process payments without users having to disclose personal information.
Relationships, fundamentally, are built on trust. To develop a relationship with a person or organisation, you have to be able to trust them. This means that you must be able to believe that they are reliable, will keep their word, and will not do you any harm.
Where money and personal data is concerned, this is even more important. The potential for damage if your trust is misplaced is huge, and not just in the immediate financial loss. Leaks and breaches in personal data can have knock-on effects lasting for years from ongoing identity fraud.
The changing landscape of data and payments
New legislation from the EU on payments (PSD2) and data protection (GDPR) have, if anything, exposed the problem, and made it more acute. Where customers might once have been prepared to trust blindly, recent data loss scandals have increased awareness. Reputations are hard to build and easy to lose, and scandals have a way of tainting others in the same industry. The timing of PSD2 and GDPR has also complicated matters.
PSD2 is designed to open up the payments industry, and bring new providers into the market. The evidence is that this is happening, with plenty of new fintechs and existing providers exploring the potential. But at the same time, GDPR requires organisations to demonstrate that they have systems in place to fully protect the personal data of any EU citizens. This is a wide-reaching piece of legislation because it takes no account of where the organisation is based, only the origin of the data they hold.
Taken together, the two require strong customer authentication for transactions. In practice, this is likely to mean a two- or three-factor system involving some combination of what you are (for example, fingerprinting or iris recognition), what you know (for example, a password or other secure identification) and what you have (for example, a particular device). Three-factor systems are the most secure, and biometric data is widely recognised as being unique. The issue, though, is that a breach is permanent: you cannot change your fingerprint just because someone else has an image of it.
Consumers want systems that are simple and easy to use. Maybe, as some commentators have suggested, this is because our attention spans are getting shorter. It is probably, however, more that consumers value their time and know from experience that things don’t have to be complicated. We are aware, for example, that if some banks and retailers have mastered the art of keeping things simple for customers, then all of them can. This has become an important part of user experience.
The importance of simplicity
But simplicity is more important than just improving customer experience. Complicated systems, or ones that are hard to use, end up being ignored. People develop work-arounds to avoid them—work-arounds that are often far less secure, and therefore a risk for others. Complicated systems are also a problem for vulnerable users such as older people or those with learning difficulties. Such users may be unable to work out or remember how to manage the complicated process required. This is important for retailers and banks, but it is even more fundamental for organisations like government agencies, who are often focused on delivering services for the most vulnerable in society.
Consumers do not, however, want simplicity at the expense of security. They want both. They want easy-to-use systems that allow them to interact with retailers, banks, providers of other services, without having to worry that their data may be compromised. They also want this immediately, which means in real time.
Finding a secure but simple solution
Priviti has developed the world’s first real-time, consent-based payment authorisation system, allowing secure, on-demand, real-time authentication of personal data. The architecture may be complicated, but the experience is straightforward for the user and merchant, retailer or provider accepting the payment, or wanting to verify identity.
All the consumer has to do is agree to the request to access their credentials, then enter an authorisation code sent by Priviti. It is no more complicated than chip and PIN. All the merchant, retailer or service provider has to do is ask for consent (which can be as simple as providing a QR code), and process the transaction, just as they must do now.
Priviti does the rest. Effectively, it acts as a ‘matching service’ between the organisation or person who holds the credential (such as a bank, which holds customer details, or a central identity repository), the customer, and the merchant. Priviti ensures that both customer and provider agree to the transaction, and then authorises the organisation holding the credential to release it for that particular transaction. This all happens in real-time, enabling instant access to identity verification or payment authorisation.
This two-factor system, with its matching of customer and provider, is highly secure, but also extremely easy to use. It therefore meets the requirements for both ease of access and strength of security, enabling providers to protect their customer and users. It even exceeds the requirements of new EU law on data protection (GDPR) and payments (PSD2). It is also easy to implement and incorporate into everyday practice thanks to its API-based core.
Nobody likes to be constrained. But while perhaps previous generations accepted that sometimes this was essential, popular opinion has it that the Millennials not only don’t like it, but won’t accept it. As they participate the economy, flexibility has become a more important buzzword. It is often coupled with that other essential, agility, the ability to respond rapidly and effectively to circumstances.
The rise of flexibility
Organisational recognition that things have changed is shown, for example, in the rapid acceptance of ‘bring your own device’ policies. And while this was a pragmatic response to the fact that everyone was already doing so, it was also a way to manage the security risks more effectively.
But this need for flexibility has manifested itself in other ways, such as the way that we buy hardware and software, and how we expect it to interact. Remember the early days of mobile phones, when you needed a particular charger for each one, and how you would see people wandering around offices asking if anyone had a ‘new Nokia charger’? This would be unthinkable now, with common standards and mini-USBs. Or the days when your choice of software was constrained by what you already had, and often had to be purchased from the same vendor? Again, this is now unthinkable.
Solutions are expected to be compatible with multiple operating systems, and usable on mobile, tablets, laptops and any other smart device. The use of APIs has been key in this move, enabling developers to ensure that their apps are compatible with multiple others, and can link together to provide hugely improved functionality. This interoperability and flexibility would have been unthinkable to the software developers of the 1990s. Nowadays, organisations expect to use their own platforms to implement new solutions.
Finding a suitable solution
All this means that any secure payments and authentication solution must also be flexible. It must be usable on any platform, and with any device for both customer and merchant, retailer, or service provider. It must provide security and confidence in the system, but not by constraining users. User experience must remain smooth and frictionless—another important element of flexibility.
Priviti’s real-time consent-based authentication system ticks all these boxes. Its API-based core system can be used on organisations’ own platforms. It has already been embedded in a number of systems, and is used by solution providers in open banking and retail services, demonstrating its capability in real-world situations.
Its unique combination of consumer/provider push-based double-channel authentication and built-in ‘credential hub’ capabilities mean that it is both secure and flexible. Our key industries are financial services, retail and identity and access management. However, we see a wide range of use cases likely to emerge in future, from new financial services driven by the EU’s Payment Services Directive (PSD2) through to governments and agencies. Priviti’s flexibility means that it is at home with both existing services and deployment of new services to meet additional demand.