Our insights from the latest European Banking Authority’s paper on PSD2 readiness, advances and challenges

Last updated: 06 August 2019

The PSD2 directive, a fundamental piece of payments legislation in Europe, is set to introduce security requirements for the initiation and processing of electronic payments and the protection of customers’ financial data, starting in September 2019.

Since the European Banking Authority (EBA) published its first paper in June 2018 on exactly what the PSD2 legislation would mean for businesses affected, many more questions have arisen. Because of this, the EBA has since published a second paper, one year later, entitled the “Opinion on the elements of strong customer authentication under PSD2”. This paper has been highly anticipated by key stakeholders in the financial and retail sectors to clarify some of the uncertainties around preparing for compliant practices. As the implementation deadline for PSD2 draws nearer, the EBA’s second paper provides vital insight about what the future holds after the 14th of September. We have taken a look at some key takeaways from this paper to see what has changed.

Strong Customer Authentication

The latest paper from the EBA exclusively focuses on “the elements of strong customer authentication” and does not cover other aspects of the PSD2 directive, including open banking. As such, it seems this paper has been created to act as a guideline for National Competent Authorities (NCAs), such as central banks and their delegates. This is because it is these institutions that will be in charge of orchestrating and controlling the application of PSD2 and its Regulatory Technical Specifications.

As part of this paper the EBA has also confirmed and summarized which methods can or cannot be considered as “authentication elements” under PSD2. This is important as its first paper on the subject was somewhat ambiguous and left many stakeholders with unanswered questions.

SMS One-time Password Solutions (OTPs) as an authentication method

The EBA’s desire for two-factor authentication to become mandatory under PSD2 legislation has been reinforced by its latest paper. However, interestingly, the EBA have stated that SMS one-time password (OTP) solutions, one of the most used ways to authenticate customers today, will still be an acceptable solution under PSD2. This is somewhat a surprise as the June 2018 paper seemed to conclude that SMS OTP should be replaced by more secure authentication methods, such as biometrics.

However, the EBA’s most recent paper also clearly points out the weaknesses of this solution compared to more secure alternatives. This is partly because SMS OTP includes possession as a factor of authentication, which is less secure than inherence factors that cannot be replicated, such as an iris pattern. Therefore, in the medium term some sort of inherence factor will still be necessary to implement, as security concerns, including SIM swapping and confidentiality, will need to be addressed.

Nonetheless, as SMS OTP remains an authentication method for now, improving SMS security, for example by using SIM monitoring, is definitively an area to investigate further in the next few years. It is also good practice to keep SMS possession authentication as an option for customers who cannot be reached by other authentication methods.

Dynamic Card Verification (DCV) security codes as a possession factor

As stated in the EBA’s first paper, the use of DCV, where a PIN code is not printed but instead changes every hour, may now count as evidence of possession authentication, in line with Article 7 of the Regulatory Technical Standards (RTS). This is significant as Article 7 offers increased protections for the possession factor, requesting that security must be in place to prevent replications. Importantly, this reiterates the fact that the EBA no longer believes a customer simply typing their card number into a portal is an acceptable possession authentication factor.

It is also important to note that come September 2019, under PSD2, device binding will also be mandatory for mobile apps to be considered compliant as a type of possession authentication. Device binding allows users to transact on trusted devices without repetitive authentications. This process securely links an authorized user to their device using their SIM card hardware or the secure element of their mobile device. In this way, transactions are given increased scrutiny but there is no added friction for the customer. On the other side of this, card details and the security code that are printed on the card do not constitute either a knowledge element or possession element according to Article 7 of the RTS.

National Competent Authorities (NCAs) and compliance delays

One final comment from the EBA, which has received a significant amount of attention from stakeholders, is that it officially gives NCAs the ability to negotiate compliance delays with Payment Service Providers (PSPs). To a large extent this announcement was to be expected, but this latest paper makes it official. From September 2019, NCAs will have the final word on what Strong Customer Authentication practices are acceptable by a PSP. This will come as good news to many, who have been requesting more time to become PSD2 compliant since the legislation was first passed in November 2015.

While this second paper has provided a lot more clarity to stakeholders concerned by PSD2, the directive does not mention what we can expect to happen with Open Banking and the relationships between banks and FinTechs. Therefore, it is expected that there will be more questions concerning the more challenging side of the PSD2 implementation discussion that the EBA will need to answer before the September deadline.

 

You can download our white papers about PSD2 at https://www.gemalto.com/financial/ebanking/psd2 or contact me at Jean.Lambert@thalesgroup.com for more information.

2 thoughts on “Our insights from the latest European Banking Authority’s paper on PSD2 readiness, advances and challenges

  1. Hi Jean,
    Interesting article indeed, however I have a question for you. As you mentioned “ However, interestingly, the EBA have stated that SMS one-time password (OTP) solutions, one of the most used ways to authenticate customers today, will still be an acceptable solution under PSD2. This is somewhat a surprise as the June 2018 paper seemed to conclude that SMS OTP should be replaced by more secure authentication methods, such as biometrics.”
    Can you tell where on earth EBA opinion state that think? Or it is just an interpretation from your side. The truth is that EBA opinion in some issues are not crystal clear.
    According to my research, EBA states that SMS OTP is just a possession element. It must be engaged with a Knowledge element in order to fulfil SCA expectations, correct? Please check EBA relative tables 2 & 3.

    Finally, as I represent a small card player (Issuer) and as we don’t have the ability of an application assistance or to handle SMS OTP as a fallback, can you clarify the case? If a cardholder doesn’t have a smart phone what should he do? My perspective is that, although SMS OTP solution has vulnerabilities, if you connect this solution with a knowledge element (like PIN or password) then you can manage 2FA and SCA.

    Your reply will be highly appreciated.
    Kind regards

    AL.VAR.

    1. Hi Alexandros,
      Many thanks for the interest you show on our blog, and on PSD2 in general.
      About SMS OTP, we of course refer to June 2019’s EBA Opinion Paper, that actually mention it as relevant Possession factor (Table 2, Page 7). Our interpretation on how EBA supports (or does not!) SMS OTP is based on our analyzes of this process’ vulnerability, and the many references of the texts to end to end security of the authentication elements. As a matter of fact, when EBA published its first opinion in June 2018, demonstrating that the current practices with SMS OTP were at least not sufficient to comply, many banks considered it as a severe warning against SMS OTP. This interpretation was also shared by ECSG, the “European Cards Stakeholders Group”, strongly in favor of SMS, in its discussion with EBA. ECSG however always considered evolving to biometrics, for instance, as a must for the future.
      In summary SMS OTP is seen as an acceptable solution, but EBA however underlines its limits:
      • It is only one factor (“possession”) and a 2nd factor is needed. On medium term, the usage of SMS OTP without, for instance, an additional password, would have to be reconsidered…
      • Other security concerns (integrity, confidentiality, SIM swapping…) that we often pointed as risky, even if not emphasized in the paper, are frequently mentioned in various EBA’s texts.
      At the end of day, it seems now that there is a consensus to say that
      • SMS is not satisfying, and should at least evolve, possibly be replaced by other methods, and/or be reserved for categories of customers that cannot be reached in another way (Thales/Gemalto message for years already!)
      • But considering its wide deployment, its acceptance by customers and merchants, and its actual good impacts on fraud, this evolution would take time. That is precisely what the NCAs prepare to do proposing “migration paths” that will be formalized in the next weeks or months, as allowed by EBA in this year’s opinion paper.
      Your vision “although SMS OTP solution has vulnerabilities, if you connect this solution with a knowledge element (like PIN or password) then you can manage 2FA and SCA”, is a valid approach and I assume it should be backed by NCAs for the short-medium term. But at longer term, in the competition landscape, and to improve the customers’ security, we still say that it should rapidly evolve, and many banks are already in this perspective.

Leave a Reply

Your email address will not be published. Required fields are marked *