The European Commission adopted the Delegated Regulation on Regulatory Technical Standards (RTS) in November 2017. These standards provide detailed specifications to achieve the strict security requirements for payment service providers in the EU.
The standards make reference to the PSD2 directive as well as other mechanisms for ensuring transactional security like eIDAS and trust services.
The main thrust of the RTS is as following:
- Ensuring Strong Customer Authentication (SCA) as required under the Revised Directive on Payment Services (commonly known as PSD2). This requires the adoption of certain security elements including those provided under eIDAS.
- Defining exemptions from SCA for specific cases based on transactional amount, risk, mode and other features. This ensures that transactions are treated appropriately based on the level of risk. Such a provision for differential treatment ensures the optimum balance between security and speed.
- Ensuring the confidentiality and integrity of user credentials.
- Establish open and standard communication channels between all parties - AISPs, PISPs, banks, financial institutions, payees, payers and other service providers as per PSD2. This not only ensures adequate security but also places AISPs and PISPs on the same level playing field as the financial institutions.
The idea behind all of this to provide a secure environment for payment processing and preventing financial fraud and theft. This is done through strong customer authentication and transaction monitoring to detect any instances of fraud.
Knowledge, Possession and Inherence
The elements required to ensure strong customer authentication are defined as follows in the RTS:
- Knowledge - Something that only the user knows
- Possession - Something that only the user possesses
- Inherence - Something that the user is
These elements must be independent of each other so as to mitigate the risk of fraud if one of them is compromised. A combination of these elements, transmitted over a secure channel, can ensure the right level of security for financial transactions.
Qualified seals and certificates
The standards mandate the use of qualified electronic seals and qualified website authentication for communications between payment service providers. These elements are defined in detail in Annexure III and IV of the eIDAS regulation and provide the high level of security which is necessary for financial transactions.
Certificates for website authentication play a very important role in ensuring the security and integrity of online transactions. It is no surprise then that almost two-thirds of all websites use these certificates. Qualified Certificates for Website Authentication (QWAC) are a special case which have been defined under the eIDAS regulation and RTS has now made these certificates mandatory for payment related transactions.
Secure and open communication channels
PSD2 has been designed to ensure a level playing field and encourage innovation in the payments industry. Secure and open communication between financial institutions and Payment/ Account Information Service Providers is a key prerequisite to ensure fairness. The technical standards mandate the existence of at least one interface that financial institutions must provide to securely send and receive information from PISPs/ AISPs. Additionally, the level of performance and availability of this interface must match what the financial institutions provides to their users directly.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority
Image: EU flag, courtesy of Quinn Dombrowski, Flickr (CC BY-SA 2.0)