The Objective
Tesco Bank is the retail banking division of Tesco, the UK's largest supermarket retailer. Since its formation in 1997, Tesco Bank has been helping Tesco customers manage their money better by providing a host of banking, general insurance, and money products and services.
Committed to delivering the highest customer service, the bank is continually seeking ways to improve its customers’ experiences. But customer identities had become siloed across products and services, adding friction to the customer experience. At the same time, the bank needed to prepare for compliance with the revised Payment Services Directive (PSD2), a European electronic services regulation requiring strong customer authentication, as well as address an inflexible security posture that was adding cost and time to the launch of new applications and features.
Realizing their rigid architecture couldn’t support the challenges they needed to overcome, the Tesco Bank team knew they needed to act fast. Led by main customer security domain architect David McConchie, they sought a customer identity platform that could extend across all of their channels and allow them to consolidate disparate identity data, laying the foundation for a common customer identity.
The Challenge
McConchie and team faced three major challenges: improve customer experience, meet PSD2 compliance and increase business agility. Their first requirement was delivering a new single-factor authentication solution for a self-service web portal for their general insurance customer base. But this would introduce yet another siloed identity into their already disparate identity ecosystem. To meet the targeted launch date, the team had a narrow window in which to change course. This included finding a way to efficiently stand up the products, build a single-factor authentication journey and configure all of the insurance products to provide the necessary security that they required.
Next up was replacing their legacy security technologies across both web and mobile so the Tesco team could build out the requirements of PSD2. They needed to address the API security requirements of open banking and implement continuous risk-based authentication. McConchie says, “It was certainly a high-risk project because the web and mobile channels were existing and servicing millions of customers. There was a considerable focus from senior stakeholders to ensure we were able to migrate off our legacy security technology without impacting customers adversely.”
The Solution
Facing hard deadlines and a growing list of requirements, the bank orchestrated a proof of concept between their incumbent vendor and Ping Identity. To pressure test the technologies, they built a dummy web application to compare each vendor’s ability to deliver a customer authentication journey and abstract authentication and authorization from the application itself. They wanted to see how each vendor could break down their identity silos and bring it all together to build a common identity layer.
Ping + ProofID emerged as the winners. Explains McConchie, “We saw how we could use PingAccess and PingFederate to work across web, mobile, and API. The ease with which we could deploy across channels was a critical factor, also the dynamic authorization of Symphonic (now part of PingDataGovernance). Ping’s solutions give us the flexible authorization capability we need to minimize friction and deliver a customer-centric experience.”
