PSD2 & the Technical Standards for Strong Customer Authentication

The 2015 Revised Directive on Payment Services (also known as PSD2) lays the foundation for safe and secure payments throughout the European Union. PSD2 places a substantial emphasis on ensuring that adequate safeguards are put in place to prevent fraud and other unauthorized use of payment mechanisms.

The Delegated Regulation on Regulatory Technical Standards (RTS) adopted by the European Commission in 2017 outlines the specific requirements for ensuring strong customer authentication and other necessary security measures for such transactions. The RTS document describes the protocols that must be implemented to protect customer information's security and confidentiality and ensure secure and open communication throughout the payment process.

Creating a level playing field

There are various business models currently in use in the payments industry. All of these models co-exist and cater to specific niches of the market. For example, some models might be suited for micro-transactions, while others might be more cost-effective for cross-border payments. In addition to business models, there are also various technologies and protocols, each of which offers different advantages to consumers. Since the goal of PSD2 was to increase competition, fair play, and innovation in the payments industry, the new technical standards have been designed to do the same.

The technical specifications within Regulatory Technical Standards (RTS) are designed to be technology and business-model neutral. Certain exemptions exist for remote, proximity, low-value payments and transaction risk analysis. These ensure that the payment infrastructure is not overburdened while maintaining industry-leading security.

Ensuring Strong Customer Authentication

The Regulatory Technical Standards specify various elements to ensure Strong Customer Authentication as required under PSD2. Secure communication between banks, financial institutions, accounts, and Payment Information Service providers (AISPs and PISPSs) is perhaps the most important requirement of PSD2, covered under RTS. The standards mandate that financial institutions define transparent KPIs (Key Performance Indicators) and service level targets for their payment interface.

RTS defines, in detail, the requirements for strong customer authentication. eIDAS also plays a key role in online platforms' electronic identification and authentication via qualified certificates. Other elements include an authentication code that is secure and cannot be forged, dynamic linking of the code with a specific transaction, and other risk mitigation techniques.

Risk Analysis and Monitoring

In order to keep the process dynamic and prevent the system and end-users from an excessive burden, low-risk transactions are allowed certain exemptions. The exact criteria to define a transaction as low risk are stipulated in the standards as well and include things like fraud rate for that type of transaction, transaction threshold value, real-time analysis of user location, spending behavior, and so on. This risk analysis adds an additional layer of control and incentivizes the proper use of risk monitoring tools to keep the payment backbone operating at maximum efficiency.

References and Further Reading

• COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
• Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more

• The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission

• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council

• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority

Image: The European flag, courtesy of Rock Cohen, Flickr (CC BY-SA 2.0)