Are 3D-Secure and One Time Passwords compliant with PSD2?

Last updated: 03 May 2018

In a previous post, we looked into how PSD2 governs the use of mobile devices and what security measures software developers need to consider. Today, we’re looking at banks’ use of 3D Secure and One Time Passwords, and whether they will be permitted under the new regulations.


3D-Secure is a way to connect a merchant and a consumer with the consumer’s bank in an ecommerce context. When making an online purchase using their bank card, the consumer is prompted to authenticate. The bank will therefore activate the chosen authentication method and send its answer back to the merchant using the 3D-Secure channel. But with PSD2 regulation standards coming into force from September 2019, can banks still rely on 3D-Secure?

As a means of enabling Strong Customer Authentication and dynamic linking of the transaction, 3D-Secure is very much in line with PSD2’s Regulatory Technical Standards (RTS).

Furthermore, EMVCo has published a new version, 3D-Secure 2.0, whose first deployments are expected this year. This version will further facilitate compliance with the RTS by making it easier to use Strong Customer Authentication methods on mobile devices, as well as Transaction Risk Analysis (TRA). Visa explains how 3D-Secure 2.0 works in a bit more detail in this infographic.

One Time Passwords

One-time passwords (OTPs) are valid for only one login session or transaction on a digital device. Their main advantage to static passwords is that OTPs are not vulnerable to replay attacks. However, sending OTPs by SMS is questioned by the RTS on two fronts:

  1. Simple OTPs that don’t implement dynamic linking do not satisfy the RTS requirements for payment.
  2. OTPs that are dynamically linked to the transaction amount and the beneficiary AND display such information within the SMS are closer to compliance, but are still questionable on two fronts:
    1. The user is not in control of the dynamic linking. This is done by a bank server based on a transaction that is supposedly generated by the legitimate user, but can easily be generated by a hacker;
    2. The resulting OTP can easily be re-routed to the hacker’s mobile phone, using proven techniques such as SIM SWAP or ZitMo, and not seen at all by the user.

Beyond compliance, there are actual security risks in using SMS, as discussed in one of our previous posts on the topic.

What do banks need to do?

To ensure compliance and to fight fraud,  banks should rely on technologies that are resistant to attacks and comply fully with the RTS.

The following set-up would allow them to reach all users:

  • For users who have a smartphone, use secured out-of-band authentication combined with in-App dynamic linking capabilities. That is fully in line with the experience these users are expecting while, if well implemented, highly secured and compliant with the RTS. Gemalto Mobile Secure Messenger and Mobile Protector enable such use cases
  • For users who do not have a smartphone, deploy RTS compliant authentication devices, such as Gemalto authentication tokens. Such users are more conservative, not mobile and in need of security; they are reassured and comfortable when using such devices when they bank or buy online.
  • Limit SMS OTP to consumer segments that for some reasons cannot be covered with the above methods.

For more on PSD2, check out our previous posts on the subject, or download our white papers on mobile and device-based authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *