What is PSD2?
The European Banking Authority (EBA) has published its final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) under Directive 2015/2366/EU, also known as the revised Payment Services Directive (PSD2). PSD2 aims to harmonize the European retail payments market aimed at securing Internet payments across national borders while fostering the adoption of innovative, easy-to-use and secure payment initiatives. These initiatives are intended to combat Card-Not-Present (CNP) fraud and increase the confidence of European citizens regarding e-commerce, e-banking and other online activities. The PSD2 directive will become applicable as from 13 January 2018, and the full extent of Strong Customer Authentication requirements under PSD2 are expected to become applicable in August or September 2019.
What are the strong authentication requirements for PSD2 compliance?
One of the key elements of PSD2 consists of the need to perform strong authentication of users of electronic payment services. In recent years, the security of electronic payments has increasingly become the subject of shared decision-making in guidelines and regulations in Europe. The initiatives for these guidelines and regulations originated from the European financial regulators as well as the European Commission.
Authentication must be based on the use of two or more possible authentication factors, categorized as knowledge (i.e. something only the users knows, such as a password), possession (i.e. something only the user has, such as a token) or biometric (i.e. such as a fingerprint or face scan). Furthermore, the authentication factors must be independent from each other.
Transaction Risk Analysis.
Mandates the usage of transaction risk analysis (TRA) to prevent, detect and block fraudulent payments. These should be based on elements such as the payer’s transaction history, the device used to conduct the payment, rules, etc.
Mandates the use of dedicated mobile app cloning countermeasures in applications. These countermeasures can include encrypting data used by the app using a cryptographic key stored inside the device’s Secure Element or using a password or PIN to encrypt the data that is used by the app to generate an OTP (one-time password).
In case of a payment transaction, the authentication code must be dynamically linked to the amount and the payee, meaning that this code will change if either the amount or the payee is changed during the transaction. Additionally, in the case of mobile apps, payment information needs to be exchanged via a secure channel, and also clearly shows payment information to the user.
Independence of Authentication Elements.
Payment service providers shall adopt security measures, including software-based secure execution environments, to mitigate the risk resulting from the multi-purpose device (e.g., mobile phones and tablets) from being compromised.
Which VASCO solutions support PSD2 compliance?
IDENTIKEY Risk Manager for Mobile
In order to analyze and manage the risk of the existing and the emerging mobile channel, VASCO created this solution. This module collects all communication and transactions coming from the mobile channel, allowing the payment provider to evaluate typical spending behavior. Moreover, it also performs an extensive analysis to measure the risk of the mobile device in use.
Runtime Application Self-Protection (RASP)
VASCO’s RASP solution mitigates attacks targeting the application. If the application is attacked, RASP will detect it and immediately react — shutting down the app and/or reporting that malicious activity was detected.
DIGIPASS for Apps
DIGIPASS for Apps is a comprehensive software development kit (SDK) that natively integrates application security and two-factor authentication into your app.
Multifactor and Biometric Framework When working together with VASCO’s multifactor and/or biometric framework, IDENTIKEY Risk Manager is provided with information about the authentication method used. When the user logs in with a “selfie” (face recognition) for example, additional information is provided (matching score, liveness detection score, and quality score of the picture).
Need More Answers?
See what others are asking. Read 40+ questions and answers asked in our forum about the new PSD2 requirements.Visit the Q&A Forum
Need A Printable Reference?
Download our one-page solution brief to keep as a reference.Download our Solution Brief