he implementation of the EU’s Second Payment Services Directive, better known as PSD2, is now complete, with all countries within the bloc required to have enacted its provisions into their national law as of January 13th this year.
However, this does not mean the work is done, as there are still additional stages related to PSD2 that are still to be implemented later this year – specifically those related to customer authentication and fraud prevention.
Technical standards set to come into force
At the heart of this are the updated regulatory technical standards (RTS) governing strong customer authentication (SCA). This has a crucial role to play in ensuring that PSD2 standards are secure in an environment where banking services are being opened up to a significant number of new players.
The RTS includes instructions as to what is considered strong authentication, including the use of multiple factors across three different elements, namely knowledge, possession and inherence factors.
One of the most critical decisions for financial institutions when it comes to ensuring they are compliant with the rules will be how they interpret these guidelines, and what authentication measures they provide.
Ensuring strong customer authentication
PSD2’s rules require banks to use two or more elements, which must be independent from each other, though certain transactions will be exempt from these requirements if they are deemed to be low-risk, low-value or use specific secure channels. Therefore, it will be essential for financial institutions to identify when they need to include SCA, as well as what form it should take.
It’s likely that most banks will use a knowledge-based method such as a password or a PIN for one stage of their authentication, as this is both familiar to customers and easy to implement. But for the second, there will be many factors to consider when making a decision.
For example, using a possession-based authentication factor, such as sending a one-time code via SMS or issuing customers with a dedicated dongle, may provide a good solution, but banks should consider the risks involved if the user loses their device, as well as the potential for issues such as SIM-swapping to bypass a mobile phone solution. Meanwhile, inherent factors – usually biometrics – may be more secure in a perfect world, but is the accuracy of today’s technology good enough?
