PSD2 & Strong Customer Authentication- Are You Ready?

By Mairead Quigley

11 Feb 2019

The Payment Services Directive (PSD) is a European Union Directive introduced in 2007 to regulate payment services and payments service providers. PSD2 took effect in January 2018 Is the second iteration of the regulation where the objective is to offer both consumers and businesses a simpler way to manage their finances whilst addressing the growing popularity for mobile and and online payments.

Up until recently, the main way for customers to access their bank accounts and financial information is through the channels provided by their banks (online banking, mobile apps). Under PSD2 two new regulated entities have emerged: - Payment Initiation Service Providers (PISP)- essentially a service provider who can initiate a transaction on behalf of the customer, meaning that they are able to directly withdraw money from your account if you have given prior consent

  • Account Information Service Providers (AISP) - this will allow third party organisations to access a customers bank as well as gathering and displaying information regarding their account. This is now being used to allow customers to aggregate all of their financial information across multiple accounts, giving them a more holistic view of their financial affairs.

In order for these new providers to operate, banks need to provide their Application Programming Interfaces (API’s) to those that request access. This is a fundamental change in regulation that will provide a wealth of new opportunities for fintechs and is set to promote innovation and increased competition in the market.

What PSD2 hopes to lead to is a fuller embrace of the concept of open banking. Banking and financial institutions need to develop their own digital capabilities or to partner up with fintechs to avoid being completely shut out by new competitors with superior and more agile offerings.

What is Secure Customer Authentication? (SCA)

One of the major elements of PSD2 is a strong emphasis on improving security in the payments space by emphasising strong customer authentication (SCA). The deadline for this is set for 14th September 2019 and banks need to ensure they have the correct technology and processes in place to comply with SCA.

From September 2019, all remote electronic payments in the EU will require secure customer authentication which is essentially two-factor authentication (2FA) which requires two independent sources of validation.

So the SCA procedure requires at least two factors from two separate categories. These are: - Knowledge: something a user knows (e.g PIN code)

  • Possession: something a user possesses (e.g. smartphone/ card)
  • Inherence: something a user is (e.g. fingerprint, voice or facial characteristics)

So a typical compliant procedure might, for example, include a combination of a password (knowledge) and fingerprint (inherence), or a password (knowledge) and one-time passcode (OTP) sent to the user via SMS (knowledge). The rules do not stipulate what the procedure must be, so the market can decide and this also leaves some unclear areas yet to be defined.

What’s In and Out Of Scope?

As it stands all customer- initiated transactions and online payments within Europe. This means the majority of card payments all credit transfers will require SCA.

  1. Transactions below €30

A payment below €30 is considered a “low value transaction” and will be exempted. The exception in this circumstance where SCA will apply is If the card or payment method has seen more than five exempt transaction or if the total exceeds €100. The bank or payment method provider is responsible for identifying this.

  1. Subscriptions

Exemptions will apply when customers make a series of subscription payments for the same amount to the same business. The only SCA that will be required is upon first payment.

However, under the new regulation there are some specific payment times that are exempt. The most relevant ones include:

  1. Corporate Payments

This covers payments that are made with “lodged cards” as well as corporate payments made using virtual card payments.

  1. Trusted Beneficiaries

Customers will have the option to whitelist the businesses that they trust and have the option to add them to a list of trusted beneficiaries maintained by the bank.

The Opportunity For Mobile

The rapid pace of mobile adoption and mobile payment services unleashes a plethora of new and innovative services and deeper customer ownership but it’s vitally important that these new services are matched with robust security measures.

The financial services market is dynamic and vast and we

predict that financial institutions may have a hard time providing the required security on top of all of the other pressing cybersecurity demands. Even the most high- end biometric facial recognition technology on smartphones are useless if weak encryption mechanisms are applies or sophisticated cyber attacks are not prevented.

More so than any other payment method, mobile payments need to rely on strong and robust security authentication mechanisms including encryption key management and protection, device binding ad jailbreak protection. This will help to comply with the requirements of SCA and PSD2.

Perhaps more importantly, this is set to be one of the most disruptive changes to consumer banking but many customers are still largely unaware of what this actually means. Firms need to put in place measures that ensure that customers are both educated around secure customer authentication whilst also making it easy for consumers to use.

This will mean developing technology capabilities that do not charge the technical complexities of new security requirements to end-user experience. This ultimately means looking at different ways that eliminates the need for remembering multiple security codes, the ability to access from any device without having to switch from one app to another whilst also building a simple and easy to use interface.

With the deadline a mere 7 months away, financial companies should be looking at how they can best comply with SCA, and at the same time be focusing heavily on the customer education piece. There's an opportunity here to build digital systems and processes that can help you with this. Contact us if you would like more information around how we can help.

Related Articles