PSD2 Compliant Strong Customer Authentication Solution

Given the influx of fintech startups in the modern world, the role of banking institutions is shifting from being a single point of service toward becoming more of a platform. The revised Payment Service Directive (PSD2) is a big step toward these changes.

Client and product

According to the Directive, banks are asked to open their APIs and provide data for third-party providers (TPPs) and services accepted by users. This will make it possible to aggregate data from different banks in one place, significantly enhancing the user experience. Having access to such data also makes better, more thorough analyses possible, and provides users with more intelligent, sophisticated advice and overall service: faster access, better understanding, greater control, products users need immediately. A brave new world is here.

This sounds great, but what if some of this data is leaked? What if somebody else becomes able to withdraw money from your account? Of course, nothing good would happen in this case. Naturally, the relevant bodies reached the same conclusion; significant efforts have been made to guarantee the protection of the whole ecosystem.

The newcomers to the financial market can essentially be divided into two categories:

  • Account Information Service Providers (AISPs) offer systems that display your balance, transactions, etc. from your bank. An AISP cannot make changes to your accounts or process transactions.
  • Payment Initiation Service Providers (PISPs) offer systems that can perform credit transfers on the user’s behalf.

The greatest challenge here is to create a safe means of communication between all these parties. The good news for the users is that § 73 of PSD2 protects their rights:

“[…]in the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction.”

The same applies when an unauthorized transaction is done via PISP. The Account Servicing Payment Service Provider (AS-PSP, usually a bank) compensates the loss under the same conditions.

Whether or not the PISP compensates these losses to the AS-PSP (bank) later depends on the authentication scheme in use. Two options are possible: the PISP can rely on credentials issued by the AS-PSP, or it can issue its own security credentials.

We doubt the second option will be popular, since according to § 72(1), the burden is on the PISP to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge. The effort involved in proving this could be significant; in any case, there is no reason to go through it at all, as the Directive welcomes third-party providers of Strong Customer Authentication, like Protectimus.

No one wants to pay for fraud. That’s why Strong Customer Authentication (SCA) is so important in light of PSD2. § 98 directly calls for the development of Regulatory Technical Standards (RTSes): “[the] EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, develop draft regulatory technical standards addressed to payment service providers.”

The EBA has done this work and we now have a final draft of the Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2).

In short, the RTS sets out requirements for how and when to apply two-factor or multifactor authentication while ensuring technology and vendor neutrality.

The highlighted trends:

  • multifactor authentication;
  • segregation of channels and security credentials;
  • simplifying the execution of low-risk transactions, like parking or transportation fees;
  • transaction data signing, like CWYS (Confirm What You See) from Protectimus.

For now, it turns out that SCA providers are the cornerstones of all PSD2 infrastructure. Choosing a multifactor authentication provider whose services meet all PSD2 and RTS requirements is a complicated, important task, so we decided to help our customers by preparing a short checklist to evaluate possible solutions. You can download it here.

Get PSD2 Checklist

Knowledge base

PSD2 is a revised Payment Service Directive which forms the legal foundation of all payments within the EU. The need for a revised PSD arose in response to the transformation of the modern payment processing landscape. PSD2 aims to improve protection for payments and users' data, accelerate innovations in the field of payment processing and promoting progress in the development of modern payment technologies, including mobile and online payments. PSD2 comes into force completely in 2018.

Confirm What You See is a special function for enhanced consumer data protection when making online payments, offered by Protectimus's two-factor authentication service. It allows confirming online transactions with one-time passwords based on contextual information, such as transaction data, time, geolocation, etc. In this way, users are protected against hackers' data manipulation tricks during payment processing. One-time passwords based on real data will not match data from compromised transactions, so an attacker can’t use the consumer’s OTP to confirm a fake transaction.

Strong Customer Authentication means using two or more authentication factors to authenticate customers. It's also known as two-factor authentication (2FA) or multifactor authentication. There are three groups of authentication factors used for SCA: knowledge (passwords, mother's maiden name), possession (hardware OTP tokens, smartphones) and biometrics (fingerprints, voice, retina scans). Strong Customer Authentication is required under PSD2; two-factor authentication will prevail, as the EBA has set a high bar for the use of biometric factors.

Regulatory technical standards for multifactor user authentication and everyday safe communication under PSD2 have been established. Below are some rules from the final RTS draft: Multifactor authentication is not required for payments under €30, or up to a cumulative limit of either €100 or five successive transactions, but MFA will be invoked if there is any risk "Screen scraping" is banned AISPs can access users’ bank accounts independently up to four times a day, with no limit on the number of requests from account holders The use of smartphones for multifactor authentication is allowed

The European Banking Authority is an independent European Union authority whose goal is to create tech standards, laws and regulations that ensure ultimate transparency, integrity, efficiency, modernity and security in the European financial sector. The creation of the EBA was a result of the need to both raise and maintain the financial stability of the European Union and promote fairness in the financial market across the EU. One of the most important EBA directives is PSD2, which aims to accelerate innovation in the financial sector and introduce new data protection standards.

An AS-PSP can be any traditional EU financial organization that holds customers' financial accounts. This category includes all traditional European banks. Per PSD2 standards, Account Servicing Payment Service Providers are obligated to provide third-party Payment Initiation Service Providers with access to their users’ accounts through an open API (application program interface).

PISPs are a new link between merchants and banks. With the consumer’s approval, PISPs have permission to access the consumer’s online banking account using an AS-PSP's open API and initiate a transaction on the user's behalf. Online payment systems offering direct payments from users’ online banking accounts can act as PISPs.

AISPs will handle aggregation of a user’s online financial information from all online financial services they use. All aggregated data will be available to the customer through a special dashboard. This way, it will be easy and convenient for users to control their finances and transactions.

PSD2: Revised Payment Service Directive

CWYS: Confirm What You See

SCA: Strong Customer Authentication

RTS: Regulatory Technical Standards

EBA: European Banking Authority

AS-PSP: Account Servicing Payment Service Provider

PISP: Payment Initiation Service Provider

AISP: Account Information Service Provider