The use of SMS codes for buying on-line is to be scraped, but banks and retailers have expressed concern that there is, as yet, nothing to replace it.
The use of SMS passwords for on-line purchases is very common in France, with around 85% of secured purchases made in this way.
Essentially, as part of the purchase process the buyer obtains a code sent by SMS that is then used to complete the transaction.
The system is known as '3-D Secure', but is also known as ‘one-time password’ or 'SMS-OTP' in the abbreviated form.
Both Visa and Mastercard operate it under the branding 'Verified by Visa' and 'Mastercard Secure Code'.
However, under a European Directive dating from 2015, the system is due to be phased out by September 2019, in favour of more secure payment methods.
According to experts, the problem with the system is that receiving a one-time password on your smartphone does not guarantee the identity of the buyer with enough certainty, either because SMS could have been hacked, or because the smartphone (and bank card) could have been stolen from its owner.
As a result the European Commission as stated: "As fraud methods are constantly evolving, the requirements for strong customer authentication should allow for innovative technical solutions to address the emergence of new threats to the security of electronic payments."
Be that as it may, neither the banks or retailers in France consider they will be ready in September 2019 to be able to offer a universal replacement to 3-D Secure so they have started lobbying for an extension of time to introduce more secure systems.
The conditions imposed by the directive are strict. To be compatible, the future technology will have to validate at least two of three criteria:
- a bio-metric element (e.g. fingerprint),
- a stored element (e.g. PIN code) and/or
- a hardware element (e.g. smartphone or computer).
For Loÿs Moulin, Director of Development at Cartes Bancaires CB, who oversee the use of bank cards in France, "It is unthinkable to imagine that by September 2019 we will both generalise new strong authentication methods and train all consumers to use them instead of the single-use password by SMS."
Bertrand Pineau, Director of Innovation at the Fédération e-commerce et vente à distance (FEVAD), considers that "the changes demanded by the European Union require a lot of innovation ...Changes that are too brutal could penalise all parties."
The indications are that the banks and retailers are seeking several years delay to introduce new systems.