Over the past 20 years, traditional commerce has experienced a range of upheavals linked to technological innovation. Of the many advances we have seen in how we do business, the key rests on the development of consumers paying for goods and services online. No longer limited to bricks-and-mortar transactions, e-commerce has developed into a crucial staple of most European Union (EU) economies. While crossing the online Rubicon has led to increased choice, lower prices and more optimal markets, many concerns have arisen, not least those surrounding security and identity. In a traditional bricks-and-mortar business, the customer authentication model, where required to complete the transaction, is relatively simple: you show me your ID (national identity card, passport etc.), I know you are who you say you are, I sell you the relevant goods (for example, alcohol to those over the age of 18).
In the digital world however, all this becomes a great deal more complex. How can I be sure my customers are who they say they are when we never physically interact? How can I be sure that they are legally entitled to buy my product(s)? Can I be confident that purchases carried out in my online store are not tainted by fraudulent activity? There are many questions, but still surprisingly few definitive answers. Ensuring transparency, security and customer confidence in data exchanges has become a complex affair, and a silver bullet remains to be found.
As digital commerce becomes an increasingly larger part of our countries’ economies, and as public administrations throughout Europe increasingly shift to dealing with citizens on an online basis, it is interesting to explore just what e-identity is, the current state of affairs, as well as what challenges remain for the e-identity industry to truly take-off.
E-identity on the regulatory agenda
The arena of digital identity has been the focus of a growing amount of attention over the past few years, particularly following the advent of the Single Euro Payments Area (). The e-identity topic features prominently at industry conferences where it is discussed with increasing urgency. Digital identity is also high on the agenda of the authorities as demonstrated with regulatory initiatives, such as the proposed revised Payment Services Directive (), the recommendations developed by the European Forum on the Security of Retail Payments (SecuRe Pay), the ‘Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC’ (e-IDAS) recently adopted by the EU co-legislators and the proposed amended Anti-Money Laundering (AML) Directive.
It is clear that e-identity is, and will be, a focal point for industry actors. Yet a host of questions remain open: how will the banks position themselves? How will other service providers, including online retailers, play a role? Will proposed third party payment service providers’ () access to the account endanger security? Will consumers embrace new solutions?
As good a place as any to start is by asking just what ‘e-identity’ is. The European Commission defines it as “aiming to build a universally recognised (electronic) ID token for identifying citizens in multiple use-case scenarios”. At a more mundane level, we can define e-identity as an electronic means of proving that you are who you say you are and that the attributes you claim to possess, (name, age, address and so forth), really are your own. The importance of this to online commercial transactions is obvious.
The idea of e-identity is mature however, the translation of that idea into a working reality remains a work in progress
Despite continuing efforts to coordinate a European-wide position on e-identity, no definitive common framework has yet emerged. However, payment industry actors, in particular, are realising the enormous potential value of e-identity transactions, the relatively untapped nature of the market, and the potential for decoupling banks’ authentication methods from payments to service a much broader array of contexts.
On the other side of the payments chain, e-commerce market leaders (online retailers) attempt to capitalise on customer behaviour by moving to oblige consumers to check-in before they check-out, thereby permitting the creation of targeted, per customer offerings and inciting higher purchase ratios. Developments around e-identity are currently trending in the direction of multiple actors hosting discrete realms of customer data, which may be used across different platforms (for example, Facebook may enable users to sign-in to other services with their Facebook account). This, however, presents significant problems and is, in the long-term, an inefficient customer experience. Unless large market actors, i.e. retailers, could impose themselves enough to make their own processes the norm.
Given that the forthcoming appears likely to oblige banks to allow payment initiation by , the latter will need to be able to strongly authenticate their customers while banks will still need to be able to verify the identity of their customers.
A common non-proprietary framework, for payments and beyond, is thought by many to be the next major leap forward in the e-identity story. A solution manager, overseeing a common access framework leveraging the banks’ wealth of ‘Know Your Customer’ information in a non-exclusive manner, is one common sense means of achieving this on a collaborative basis. (Various related solutions have emerged in the market.) But there are other means, and it should be noted that most ideas are still far from fully fledged.
Developments now emerging in the area of e-identity also raise the question as to whether consumers are ready to embrace them: for example, will they freely consent to have their data accessed by outside of their banks? It is far from certain. Market research indicates that consumers in some countries may be particularly reticent. Security is all parties’ overriding concern and while it is certain that banks, due to the value of the data they hold, have developed reliable, resistant data platforms, they are currently proprietary and lacking in widespread interoperability. The dangers of data leakages with regard to outside providers accessing payment account information, unless rigorously regulated, are tangible.
The idea of e-identity is pressing; the translation of that idea into a working reality, however, remains a work in progress. It is hoped that the , as well as the ongoing activity by relevant industry actors, will shed much needed light on this crucially important area for Europe’s future economic prosperity.
Marine Sauvaget is a Business Analyst working principally on and PCI DSS in the Advanced Payments department at Steria France. She recently completed a Master’s degree in Business Administration at the Institut d’Administration des Entreprises (IAE), part of the University of La Rochelle, where she conducted a research study on e-identity and the payment industry, soliciting input from actors in Europe and North America.
The views expressed in this blog are solely those of the author and should not be attributed to the European Payments Council.
- Questionnaire as part of an academic study conducted on the future of payments and specifically e-identity in the European Union. This study is carried out under the supervision of the University of La Rochelle (Responses are invited by 30 September 2014.)
- Regulation (EU) No 910/2014 of the European Parliament and of the Council [of the EU] of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
- EPC Newsletter (July 2014): SEPA 2.0: an Overview of Regulatory Action Now in the Pipeline Impacting the European Payments Market Going Forward (This article includes information on the proposed and recommendations developed by the SecuRe Pay Forum.)
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.