Blog - Cryptomathic

PSD2 and the Regulatory Technical Standards for Strong Customer Authentication

Written by Gaurav Sharma (guest) | 08. March 2018

The 2015 Revised Directive on Payment Services (commonly referred to as PSD2) lays the groundwork for safe and secure payments across the European Union. PSD2 places a significant impetus on ensuring that adequate safeguards are put in place to prevent fraud and other unauthorized use of payment mechanisms.

The Delegated Regulation on Regulatory Technical Standards (RTS) adopted by the European Commission in November 2017 outlines the specific requirements to ensure strong customer authentication and other security measures which need to be in place for such transactions. The document outlines the protocols that must be implemented to protect the security and confidentiality of customer information and to ensure secure and open communication all throughout the payment process.

Creating a level playing field

There are various business models currently in use in the payments industry. All of these models co-exist and cater to specific niches of the market. For example, some models might be suited for micro-transactions while others might be more cost effective for cross-border payments. In addition to business models, there are also different technologies and protocols each of which offer different advantages to consumers. Since the goal of PSD2 was to increase competition, fair play and innovation in the payments industry, the new technical standards have been designed to do the same.

The technical specifications within Regulatory Technical Standards (RTS) are designed to be technology and business-model neutral. There are certain exemptions in place for remote payments, proximity payments, low value payments (less than EUR 30 or so) and transaction risk analysis. These ensure that the payment backbone is not overburdened while still ensuring best in class security.

Ensuring Strong Customer Authentication

The Regulatory Technical Standards specify various elements to ensure Strong Customer Authentication as required under PSD2. Secure communication between banks, financial institutions, Account and Payment Information Service providers (AISPs and PISPSs) is perhaps the most critical requirement of PSD2 which is covered under RTS. The standards mandate that financial institutions define transparent KPIs (Key Performance Indicators) and service level targets for their payment interface.

RTS defines in detail the elements required for strong customer authentication. eIDAS also plays a key role here for electronic identification and authentication of online platforms via qualified certificates. Other elements include an authentication code that is secure and cannot be forged, dynamic linking of the code with a specific transaction and other risk mitigation techniques.

Risk Analysis and Monitoring

In order to keep the process dynamic and prevent the system and end-users from excessive burden, low-risk transactions are allowed certain exemptions. The exact criteria to define a transaction as low risk are stipulated in the standards as well and include things like fraud rate for that type of transaction, transaction threshold value, real time analysis of user location, spending behavior and so on. This risk analysis brings an additional layer of control and incentivizes the proper use of risk monitoring tools to keep the payment backbone operating at maximum efficiency.

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: The European flag, courtesy of Rock Cohen, Flickr (CC BY-SA 2.0)