The clock is ticking for European Union member states to implement the European Banking Association’s Revised Payment Services Directive (PSD2) into their national laws, with the cut-off date of 13 January 2018 only nine months away. As we wrote here, these regulatory standards will give third-party providers (such as retailers and fintechs) access to the account information of banks’ customers, providing that these customers give their consent. The standards also dictate that two-factor authentication (2FA) must be in place when users access their accounts or make payments.
What is the plan?
The original Payment Services Directive (PSD), adopted in 2007, provided the legal foundation for creating a single EU market for payments. The objective was to make cross-border payments as easy, efficient and secure as national payments (i.e. payments within a member state). Then, in 2013, the European Commission realized that it would need to adjust these regulations in order to cater for the new payment mechanisms that were now possible as a result of advances in technology. Two months ago, on 23 February 2017, the final draft of the PSD2 Regulatory Technical Standards on strong customer authentication and secure communication was published. The revised regulations now have the following core objectives:
- To contribute to a more integrated and efficient European payments market
- To level the playing field for new and existing payment service providers
- To make payments safer and more secure
- To protect consumers
- To encourage lower prices for payments through stronger competition
In a world where user experience is becoming more essential to success in digital services, banks that were not willing or able to pursue a frictionless e-commerce user experience now hope that partnering with merchants on risk-based authentication will be an answer. Time will tell.
What will change?
Currently, consumers holding multiple accounts need to log in to each account via that financial institution’s proprietary digital interface, whether via a mobile app or an online portal. Under PSD2, on the other hand, third-party data aggregators known as Account Information Service Providers (AISPs) can be granted access to this account information, which will enable them to give consumers a single view of multiple accounts. All account information, financial products and transactions can then be viewed on a single application dashboard.
In revising the regulations, the European Commission also saw an opportunity to promote competition in the financial services industry. To this end, the Commission introduced a new category of Payment Service Provider (PSP) called “payment institutions”. This refers to providers of payment services that are unconnected to the taking of deposits or the issuing of electronic money (i.e. not a bank). Aside from opening up customers’ account information, PSD2 will require banks to give these new entrants to the market payment capabilities, in the hope that this will lead to cheaper and faster payments.
But is it safe?
Under PSD2, all PSPs will be required to apply 2FA. This entails that, apart from static credentials (a username and password), the user will also be asked to authorize a login event or transaction by using another method.
This is nothing new for the financial services industry, and as such there is already an array of mechanisms available for implementing 2FA. Two of the more popular forms are SMS one-time passwords (OTPs), also known as mTANs, and hardware-generated OTPs. But as security possibilities expand, so does the sophistication of cybercrime syndicates. As a result, some of these 2FA approaches are now being circumvented, exposing consumers and organizations to fraud. So how is strong authentication to be achieved?
The only way to stand up to the increasing complexity of fraud vectors in use today is to combine multiple security measures. In this kind of layered approach, the mobile device – if identified definitively through the use of a digital certificate – can act as a first factor of authentication (possession, i.e. something the user has). A second factor, such as a PIN, the user’s GPS location, or a biometric input, is used to augment security – especially for high-value transactions.
For added security, banks and other financial service providers should implement authentication solutions that provide a separate, bi-directional channel between their servers and their users’ mobile devices. Encrypted push-based authentication requests and responses can then be exchanged over it without fear of interception and modification.
This secure channel provides a second factor of authentication out of band, without the user even having to switch apps. Apart from the authentication of digital logins and financial transactions, this will also enable the authentication of card-not-present payments using the same interface, thus providing a consistent customer experience across multiple channels.
Want to know more? Watch our CIO, Gerhard Oosthuizen, talk about a new approach to regulation.