The 8th of October 2015 is the day that Europe took a major step towards adopting more secure online banking – the European Parliament formally adopted the revised Directive on Payment Services, otherwise known as the PSD2.
Whilst this is of particular importance to National Banks, Banks, Card Issuers/Acquirers/Merchants and Payment Service Providers in the Eurozone, EU and EEA countries, the rest of the world is also watching closely.
Let’s have a closer look at how we got here and what it all means…
Back in January 2013 the SecuRe Pay forum published its final Recommendations for the Security of Internet Payments. However they were not formally adopted and remained as recommendations with no legal standing.
The EBA followed in December 2014 by publishing the Final Guidelines on the Security of Internet Payments to provide a legal basis until the PSD2 is implemented in 2017-18.
In spite of industry pushback, the EBA decided that delaying the implementation was not acceptable due to rising fraud, so a “two step approach” was introduced. This means that the EBA Guidelines came into effect as of 1st of August 2015, and the industry is now working to comply* to the guidelines and may later need to implement additional measures for the PSD2.
The PSD2 has been in development since 2013, and has just moved through one of its final hurdles by being adopted by the European Parliament, it will formally come into effect in late 2017, with some of the security measures coming into effect up to 18 months later.
I will focus on a few important points from the PSD2:
- Strong customer authentication when accessing payment accounts online, initiating electronic payments, and other actions through remote channels which have a risk of payment fraud.
- Details of the transaction amount and payee must be linked to the strong authentication.
- Exemption for strong authentication based on the level risk.
- Better consumer experience: “Allow for the development of user-friendly, accessible and innovative means of payment”
Strong customer authentication defined by the PSD2 requires the use of two or more of: knowledge – something you know (e.g., PIN, password), possession – something you own (e.g., token, card readers, smart phone), and inherence – something you are (e.g., biometric). Additionally the strong authentication needs to be independent so that breach of one doesn’t compromise the others. (The European Commission has published a PSD2 Frequently Asked Questions page).
Some of the channels included in the scope of the PSD2 include desktop web browsers, mobile web browsers and native mobile apps, plus Card Not Present (CNP) 3D Secure transactions. (MasterCard has published a FAQ document on 3D Secure transactions.)
Transaction details need to be presented to the customer as part of the strong authentication method, such as the payee and amount details delivered in a SMS with a one time code, or shown within a mobile app combined with a token code or request to complete a biometric challenge.
The PSD2 specifically calls out risk assessments, allowing for low risk activities to be exempt from strong authentication.
This naturally leads us to our last point, customer convenience – user friendly, accessible and innovative. All activities do not need to be subject to strong authentication, as long as they are subject to a risk assessment and are low risk, but additionally the method of strong authentication should be user friendly.
We enthusiastically support these approaches and our technologies have been assisting our customers do this for more than a decade. Built upon RSA’s risk engine our solutions lead the market with exceptionally high fraud detection rates combined with low challenge rates.
RSA Adaptive Authentication protects logins, transactions and sensitive post-login activities for banks, online merchants and financial service providers. By being able to combine a risk assessment with policy control, strong authentication can be combined with customer convenience. RSA’s newly released mobile SDK with biometric authentication enables our customers to perform strong authentication including biometrics, and show transaction details – all in the customer’s own app.
RSA Adaptive Authentication for eCommerce protects Card Not Present (CNP) 3D Secure transactions for card issuers. The RSA risk engine provides its high fraud detection rates, card issuers have control of the policy, the vast majority of cardholder transactions are low risk and transparently processed, and only the small minority of transactions rated as truly high risk require strong authentication.
* Estonia, Cyprus, Slovakia, Sweden, UK and Iceland have announced they will not, or only partially, comply with the EBA guidelines and go straight to implementation of the PSD2.
For more information about European Banking Authority and PSD2 regulations, and how RSA can help support compliance with them, please see our European Union Payment Regulations – EBA and PSD2 overview.
Follow us on Twitter @RSAFraud @n8close
The post A closer look at the PSD2 and Risk-Based Authentication appeared first on Speaking of Security - The RSA Blog and Podcast.