Are you ready for PSD2?
The new PSD2 legislation brings groundbreaking changes to the financial sector. Third parties are now allowed to access consumers’ payment accounts via an API - obviously after being given a permission by the end user. This fact, however, requires banks and other financial institutions to implement security measures to protect their web and mobile apps to reduce the risk of fraud and ensure the best possible protection of the consumers’ data.
Strong Customer Authentication
One of the most critical requirement of PSD2 legislation is Strong Customer Authentication (SCA). Strong Customer Authentication needs to be applied whenever the end customer is accessing a payment account information or executing a payment. It must follow a very strict set of rules, that are specifically designed by the legislators to make access to account and payments by 3rd parties secure.
01. Multi-Factor Authentication
Process of authentication and initiating an electronic payment needs to be based on minimum of two elements, which are knowledge (PIN code, password), possession (a concrete paired device) or inherence (biometrics). All of these SCA elements have to be independent on each other, so that their reliability is not compromised. Based on these verification factors, a unique authentication code for each customer’s payment is generated. Using this code, the customer can access its payment account online or make a payment transaction.
02. Dynamic Linking
Other important requirement that is connected to the SCA is so called Dynamic linking. In order to avoid man-in-the-middle attacks against banking applications, the authentication code needs to be calculated specifically, so that it corresponds at least to the amount of the payment transaction and to the identity of the payee. For that reason, payment service providers have to adopt several security measures that ensure complete confidentiality and security of the transaction amount as well as transmitted information, such as identification of the payee, throughout the whole authentication process.
There are several exemptions from the SCA though. Strong Customer Authentication doesn’t have to be applied when the user makes contactless payment below a certain amount of EUR, the beneficiary is already identified, payer initiates an electronic payment at an unattended payment terminal for transport fares and parking fees, the transactions are recurring (same payee, same amount) or under a specific value. Once the SCA was applied, the third party can access the transaction history of a user for 90 days without the necessity to go through the whole SCA process again during this period.