The PSD2 directive, a fundamental piece of payments legislation in Europe, is set to introduce security requirements for the initiation and processing of electronic payments and the protection of customers’ financial data, starting in September 2019.
Since the European Banking Authority (EBA) published its first paper in June 2018 on exactly what the PSD2 legislation would mean for businesses affected, many more questions have arisen. Because of this, the EBA has since published a second paper, one year later, entitled the “Opinion on the elements of strong customer authentication under PSD2”. This paper has been highly anticipated by key stakeholders in the financial and retail sectors to clarify some of the uncertainties around preparing for compliant practices. As the implementation deadline for PSD2 draws nearer, the EBA’s second paper provides vital insight about what the future holds after the 14th of September. We have taken a look at some key takeaways from this paper to see what has changed.
Strong Customer Authentication
The latest paper from the EBA exclusively focuses on “the elements of strong customer authentication” and does not cover other aspects of the PSD2 directive, including open banking. As such, it seems this paper has been created to act as a guideline for National Competent Authorities (NCAs), such as central banks and their delegates. This is because it is these institutions that will be in charge of orchestrating and controlling the application of PSD2 and its Regulatory Technical Specifications.
As part of this paper the EBA has also confirmed and summarized which methods can or cannot be considered as “authentication elements” under PSD2. This is important as its first paper on the subject was somewhat ambiguous and left many stakeholders with unanswered questions.
SMS One-time Password Solutions (OTPs) as an authentication method
The EBA’s desire for two-factor authentication to become mandatory under PSD2 legislation has been reinforced by its latest paper. However, interestingly, the EBA have stated that SMS one-time password (OTP) solutions, one of the most used ways to authenticate customers today, will still be an acceptable solution under PSD2. This is somewhat a surprise as the June 2018 paper seemed to conclude that SMS OTP should be replaced by more secure authentication methods, such as biometrics.
However, the EBA’s most recent paper also clearly points out the weaknesses of this solution compared to more secure alternatives. This is partly because SMS OTP includes possession as a factor of authentication, which is less secure than inherence factors that cannot be replicated, such as an iris pattern. Therefore, in the medium term some sort of inherence factor will still be necessary to implement, as security concerns, including SIM swapping and confidentiality, will need to be addressed.
Nonetheless, as SMS OTP remains an authentication method for now, improving SMS security, for example by using SIM monitoring, is definitively an area to investigate further in the next few years. It is also good practice to keep SMS possession authentication as an option for customers who cannot be reached by other authentication methods.
Dynamic Card Verification (DCV) security codes as a possession factor
As stated in the EBA’s first paper, the use of DCV, where a PIN code is not printed but instead changes every hour, may now count as evidence of possession authentication, in line with Article 7 of the Regulatory Technical Standards (RTS). This is significant as Article 7 offers increased protections for the possession factor, requesting that security must be in place to prevent replications. Importantly, this reiterates the fact that the EBA no longer believes a customer simply typing their card number into a portal is an acceptable possession authentication factor.
It is also important to note that come September 2019, under PSD2, device binding will also be mandatory for mobile apps to be considered compliant as a type of possession authentication. Device binding allows users to transact on trusted devices without repetitive authentications. This process securely links an authorized user to their device using their SIM card hardware or the secure element of their mobile device. In this way, transactions are given increased scrutiny but there is no added friction for the customer. On the other side of this, card details and the security code that are printed on the card do not constitute either a knowledge element or possession element according to Article 7 of the RTS.
National Competent Authorities (NCAs) and compliance delays
One final comment from the EBA, which has received a significant amount of attention from stakeholders, is that it officially gives NCAs the ability to negotiate compliance delays with Payment Service Providers (PSPs). To a large extent this announcement was to be expected, but this latest paper makes it official. From September 2019, NCAs will have the final word on what Strong Customer Authentication practices are acceptable by a PSP. This will come as good news to many, who have been requesting more time to become PSD2 compliant since the legislation was first passed in November 2015.
While this second paper has provided a lot more clarity to stakeholders concerned by PSD2, the directive does not mention what we can expect to happen with Open Banking and the relationships between banks and FinTechs. Therefore, it is expected that there will be more questions concerning the more challenging side of the PSD2 implementation discussion that the EBA will need to answer before the September deadline.
You can download our white papers about PSD2 at https://www.gemalto.com/financial/ebanking/psd2 or contact me at Jean.Lambert@thalesgroup.com for more information.