31 March 2016

Payment Service Directive 2 (PSD2) - Strong Customer Authentication

On 23 December 2015, the European Union published the second Payment Service Directive (PSD2) in their Official Journal. If all goes according to plan, this EU Directive will be transposed into national legislation and become fully applicable by early 2018.

PSD2 was put in place to boost transparency, innovation and security in the European payments market.  It addresses new types of Payment Service Providers (PSPs), like Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs). While creating a level playing field for these new providers it equally wants to bring these emerging types of payment services within regulatory scope.

In parallel, PSD2 also establishes a stricter regime of payment service user authentication, with the aim of ensuring that PSPs can be confident in the authenticity of users. PSD2 requires PSPs to apply "strong customer authentication" (SCA) in cases where an organisation or consumer tries to access their payment accounts online, initiates an electronic payment transaction or "carries out any action through a remote channel which may imply a risk of payment fraud or other abuses". It is clear this requirement will require a number of financial institutions to revise the authentication mechanisms currently used in their online banking systems.

The European Banking Authority (EBA) will develop the ‘technical’ requirements for SCA, in close cooperation with the European Central Bank (ECB). The resulting Regulatory Technical Standards (RTS) will also include:

  1. the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials;
  2. the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information;
  3. and the requirements “for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers”.

To prepare for these RTS, EBA launched a discussion paper in December 2015. EBA has made it clear it is seeking to strike a balance between tough security standards and specific protocols, versus customer convenience and future innovative industry solutions. In PSD2 2-factor authentication is defined as a must for SCA. Therefore authentication procedures must be based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence:

  1. something only the user knows, e.g. static password, code, personal identification number;
  2. something only the user possesses, e.g. token, smart card, mobile phone;
  3. something the user is, e.g. biometric characteristic, such as a fingerprint.

EBA is working towards publication of the draft RTS by the summer for consultation, and must publish the finalised RTS by the beginning of 2017.

SWIFT has responded to the discussion paper and is keen to contribute security and authentication expertise. We are following further developments closely, monitoring the impact of the future regulation and RTS on our products and services.