To kick us off, let’s take a quick look at an oversimplified payments timeline:

• The ‘ancient’ times: Payments were made using bills and coins with the occasional cheque. 
  
• The early digital era: Payment networks appeared, with ATMs and POS terminals. On the user-facing side, the first banking websites started to appear.
  
• Apps make their debut: Around the time of the first smartphones, we also were presented with the first banking and payments apps, typically for making account-to-account payments. Then came the first wallet apps, which were often linked to telecom providers.
  
• Advanced apps and ID wallet integration: This is where we are today: SCA is integrated with the banking app. We have open banking (in Europe). Your official identity might also be linked to an app, depending on where you live. And there are likely hundreds of applications for doing payments and different eWallet implementations.

So, what are the trends that have driven these changes over time?

The move from physical to digital: Perhaps the most significant and straightforward trend is the move away from a physical wallet to digital alternatives. We replaced cash with cards and then moved to smartphones or smartwatches with digital wallets. Similarly, we’ve started to say goodbye to physical receipts and hello to receipts tracked in apps or sent by email. Loyalty cards (or similar) also are rarely physical these days.

Frictionless payments: From a usability level, payments have become more manageable by moving them from physical cash to payment cards with PINs and ultimately to touch-to-pay schemes. Payments are also simpler, with single-click buying on websites, subscription services, and integrated buy-now-pay-later schemes.

More regulation: From a regulatory perspective, things have gotten more strict yet more open, with both the EU and the big card companies requiring higher security standards for payments. In addition, we’ve gotten open banking which has had a real impact on what kind of business models are possible.

From my perspective, one change the payment world will face over the coming years is payments becoming even more ubiquitous. There’s a good chance they will be done one day without the need for human interaction. This means that customer authentication will be much more aware of the situational context of any given payment. 

Here are a few practical examples:

• No interaction shopping: If I’m paying for something at a particular grocery store where I do 90% of my shopping, why do I ever need to do a step-up authentication? Even further, if the store has recognised who I am (say through Bluetooth) and compares what I am buying with what I usually buy, why not let me just pick what I want without using an interactive payment? 

• Automatic parking fees: For parking garages here in Norway, we already have setups where license plates are photographed on entry, enabling you to get a payment request via app or email. In the future, this will indeed be optimised so you can park your car anywhere, and the payment will happen automatically in the background, to the correct recipient. If you visit another city or park somewhere unusual, only then will you be asked to approve the payment.
  
  
• Fully autonomous IoT payments: More and more payments will be machine-to-machine, based on context-aware autonomous decisions, done by the devices themselves. The two previous examples are of machines initiating payments, but the same infrastructure can also be used to save money. The smart home automation setup I use can already tell how much electrical power costs, what the weather forecast is like, where my phone is, and the temperature indoors. This is not far from having it regulate indoor temperature and lightning entirely by itself. And, to be honest, most people are more likely to let IoT devices save you money than initiate payments.
  
  

So, what will situations like these require? On one end, it will require that the payment infrastructure considers the context of actions that trigger a payment. Of course, part of this would be on the server-side, with advancements in risk management, but just as important are the local devices (smartphones, cars, refrigerators, etc.), which must be more aware of the context.

The more we digitise and move towards a world of “digital everything”, the more vulnerabilities we’re going to see. This means there will be a lot more focus on building resilience in our infrastructure and in the services we provide for both the payment and the security around the payment.

Overtime, this will lead to a big focus on fraud management. Particularly because as digital payments grow exponentially, fraudsters are matching it with increased creativity. That leaves us with one question: How do we link better authentication models to better digital identity structures to reduce fraud, correctly identify people, and not compromise the payment experience or customers’ expectations of privacy? 

Strong Customer Authentication is a key part of the answer. And by 2025, we might see some significant changes in the SCA world. These changes might not come from the big banks but from Fintechs, smaller banks, and PSPs, who must all innovate to survive. Meanwhile, existing banks will provide the infrastructure and enable their customers to innovate and facilitate smoother payments. 

Essentially, this is the space Okay has been targeting. We’ve designed our solutions to be flexible, making it possible to integrate them into any kind of authentication flow while still enabling PSD2 compliance. Remember, authentication has become a central piece to the modern payment puzzle. It has to be safe, fluid, and transparent enough to its users in order to match the new innovative ways of paying. This is a fast-growing market, accelerated well beyond the world of payments into a fully digitised society where everything must be strongly protected.

—————

If you’re interested in the security of payments, be it for today or tomorrow, please follow us on LinkedIn and keep reading this blog.