By Frans Labuschagne, UK & Ireland country manager, Entersekt
The payment industry is undergoing phenomenal change as thousands of fintech and insuretech companies attract the interest of the global venture capital community. More established financial service providers have meanwhile been forced to re-assess their business models in order to remain relevant as well as compliant with ever more stringent regulations designed to protect customer data and prevent fraud.
With these top-down directives continually shaping the fast-paced payments industry, it can sometimes be difficult to keep up. One of the latest such directives is PSD2,which constitutes a major update of the EU’s first Directive on Payment Services from 2007. The regulatory technical specifications (RTS) for the implementation of PSD2 are still under review, and meeting the January 2018 deadline for transposing PSD2 into national legislations is bound to be a challenge for governments. The earliest starting point for the enforcement of PSD2 by law, namely September 2018, is also barely more than a year away.Payment institutions that act now to deploy secure authentication methods that are future-proof will put themselves in good stead to manage the next couple of years.
PSD2 in a nutshell
The original Payment Services Directive (PSD) established the legal foundation for creating an EU single market for payments. The objective was to make cross-border payments as easy, efficient and secure as “national” payments within a member state. This objective was largely achieved. In 2013, the European Commission realized it would need to revise the regulations to cater for new mechanisms of payment as a result of technological advancements.
- To contribute to a more integrated and efficient European payments market
- To level the playing field for payment service providers (including new players)
- To promote transparency and competition in pricing of financial services
- To make payments safer and more secure
PSD2 and customer interactions
The European regulators have gone to great pains to ensure that the consumer will be the ultimate winner. PSD2 fundamentally changes both how consumers access their financial data and how they transact, and with whom.
Currently, consumers holding accounts at multiple institutions need to log into each account via that institution’s proprietary digital interface, whether this be via mobile app or online portal. But to promote competition in financial services and improve ease of use for the customer, PSD2 makes provision for data aggregators, which allow for a single view of accounts at multiple providers (insurance companies, payments services, credit card issuers, mortgage lenders). All account information, all financial products, and all transactions will be viewed ona single dashboard. To make this possible, PSD2 will compel banks and other financial service providers to open their data and payment initiation capabilities to third parties via an API or enterprise service bus. The term account information service provider (AISP) is applied to third parties that aggregate account information for consumers.
What it means
While these ideals are laudable, any new regulations, and particularly ones as far-reaching as these, always come with unintended consequences. The legal, technical and operational challenges (and opportunities) of PSD2 are landing on board meeting agendas across Europe and beyond.
From a technical standpoint, a key requirement of PSD2 will the focus on security and authentication. All payment service providers (PSPs) will be required to apply strong customer authentication (SCA) each time a payer initiates an electronic payment transaction. This means that, except under specific exceptions, all PSPs will be required to use SCA whenever a payer:
- Accesses a payment account online
- Initiates an electronic payment transaction
- Carries out any action through a remote channel which may imply a risk of payment fraud or other abuse
Of note to banks is that the cost of designing, implementing, and auditing the effectiveness of the SCA procedure will fall to the account servicing payment service providers (ASPSPs), i.e. the banks themselves. Meanwhile, payment initiation service providers (PISPs) and AISPs must ensure that SCA is applied appropriately, although they do have the right to rely on the authentication procedures provided by banks. This further reinforces the pressure on banks to be compliant.
PSD2 authentication requirements
The latest RTS stipulate that a procedure can be considered to comply with the requirement of strong authentication when at least two of the following elements are implemented:
- Knowledge – something only the user knows (e.g. password, PIN, or identification number)
- Ownership – something the user possesses (e.g. token, smart card, mobile phone)
- Inherence – something the user is (e.g. a computer-readable biometric characteristic)
In addition, the elements selected must be mutually independent, i.e. the breach of one should not compromise the other. At least one of the elements should also be non-reusable and non-replicable (except for inherence), and incapable of being stolen via the Internet.
If that “something the user possesses” can be an object that is conveniently to hand, that we carry with us as a matter of course,so much the better. Enter the ubiquitous mobile phone.
If you can uniquely identify the customer-held mobile device with a digital certificate, and can ensure that only the owner can access sensitive communications to that device, you have the most reliable authentication factor – possession – covered, with zero input needed from your customer. The second factor could then just be a quick fingerprint scan or simple PIN. This achieves not only the strong security specified in PSD2, but also a much more pleasant user experience. Market analysts already believe that by 2020, 80% of all transactions using mobile phones as a second factor of authentication will be based on out-of-band push – even though the figure is currently only 15%.
It is true – security and user-friendliness do not often go hand in hand. But for banks and payments providers, choosing an authentication solution that leverages the convenient mobile phone while also adhering to the strictest standards in security will be a safe bet for years to come.