The 2015 Revised Directive on Payment Services (commonly referred to as PSD2) lays the groundwork for safe and secure payments across the European Union. PSD2 places a significant impetus on ensuring that adequate safeguards are put in place to prevent fraud and other unauthorized use of payment mechanisms.
The Delegated Regulation on Regulatory Technical Standards (RTS) adopted by the European Commission in November 2017 outlines the specific requirements to ensure strong customer authentication and other security measures which need to be in place for such transactions. The document outlines the protocols that must be implemented to protect the security and confidentiality of customer information and to ensure secure and open communication all throughout the payment process.
Creating a level playing field
There are various business models currently in use in the payments industry. All of these models co-exist and cater to specific niches of the market. For example, some models might be suited for micro-transactions while others might be more cost effective for cross-border payments. In addition to business models, there are also different technologies and protocols each of which offer different advantages to consumers. Since the goal of PSD2 was to increase competition, fair play and innovation in the payments industry, the new technical standards have been designed to do the same.
The technical specifications within Regulatory Technical Standards (RTS) are designed to be technology and business-model neutral. There are certain exemptions in place for remote payments, proximity payments, low value payments (less than EUR 30 or so) and transaction risk analysis. These ensure that the payment backbone is not overburdened while still ensuring best in class security.
Ensuring Strong Customer Authentication
The Regulatory Technical Standards specify various elements to ensure Strong Customer Authentication as required under PSD2. Secure communication between banks, financial institutions, Account and Payment Information Service providers (AISPs and PISPSs) is perhaps the most critical requirement of PSD2 which is covered under RTS. The standards mandate that financial institutions define transparent KPIs (Key Performance Indicators) and service level targets for their payment interface.
RTS defines in detail the elements required for strong customer authentication. eIDAS also plays a key role here for electronic identification and authentication of online platforms via qualified certificates. Other elements include an authentication code that is secure and cannot be forged, dynamic linking of the code with a specific transaction and other risk mitigation techniques.
Risk Analysis and Monitoring
In order to keep the process dynamic and prevent the system and end-users from excessive burden, low-risk transactions are allowed certain exemptions. The exact criteria to define a transaction as low risk are stipulated in the standards as well and include things like fraud rate for that type of transaction, transaction threshold value, real time analysis of user location, spending behavior and so on. This risk analysis brings an additional layer of control and incentivizes the proper use of risk monitoring tools to keep the payment backbone operating at maximum efficiency.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority