I have written extensively on EU and EC legislation and its impact on a number of cyber security matters including mobile security, identity, authentication and biometrics.
Recent researchhas investigated the impact of PSD2 on security; in particular the impact on how payment service providers (PSPs) manage customer authentication.
To summarise the main objectives of PSD2:
- Contribute more to a more integrated and efficient European Payments market
- Improve the level playing field for payment service providers (PSPs), including new players
- Make payments safer and more secure
- Protect consumers
- Encourage lower prices for payments
The European Parliament adopted PSD2 in October 2015 and EU
member states have two years in which to implement the new procedures. The EC
states that there is a different date of application for the new security
measures, including Strong Customer Authentication
(SCA) and standards for secure communication. This is subject to the
adoption of the regulatory technical standards which are being developed by the
European Banking Authority (EBA) and adopted by the EC. It is anticipated that the
new security measures shall apply 18 months after the adoption of the standards
by the EC.
PSD2 provides rules for payment security and customer
authentication, concentrating on protecting consumers when paying on the
internet.
PSD2 applies to all payment
service providers (PSPs) operating in the EU, including banks, payment institutions or third party
providers (TPPs) and relates to all electronic means of payment.
The EC defines SCA as a
process that “validates the identity of the user of a payment service or of the
payment transaction”.
SCA is based on the use of
two or more elements:
- Knowledge - something only the user knows, e.g. a password or a PIN
- Possession - something only the user possesses, e.g. a card or an authentication code (OTP) generating device
- Inherence - something the user is, e.g. a biometric authenticator such as fingerprint, voice or eye-print
As the UK has voted to exit the EU, will this mean that UK banks and PSPs will not be bound to comply with these regulations (and in fact other EU legislation)? This is a difficult question to answer as the exact nature of the UK's exit and what will exactly be negotiated as the UK triggers Article 50 is still very much up in the air. What I think will happen is this:
- UK banks and PSPs that have functions in the EU will have to comply with PSD2 - it also makes competitive sense to support PSD2
- PSD2's authentication requirements are pretty-much the basic requirements for supporting strong customer authentication and it makes common sense to support them especially some of the risk-based authentication services that enable lower-risk payment transactions to be exempt from strong customer authentication
- Some UK retail banks are owned by European organisations who will want to have a common strategy for customer authentication that supports PSD2
Please let me know your thoughts my commenting on this blog. Thank you and remember in the global economy no nation is an island!
You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.
You can download the Goode Intelligence White Paper "The impact of PSD2 on authentication and security" from here.
