Industry Briefing - Pagamenti Digitali · 4 Introduction On October 8th, the European Parliament...
Transcript of Industry Briefing - Pagamenti Digitali · 4 Introduction On October 8th, the European Parliament...
Industry BriefingStrong authentication of Internet Payments in Europe - the new PSD2
Copyright
© 2015 VASCO Data Security. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.
Trademarks
MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks’ proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.
Introduction
What happened previously
Strong customer authentication under PSD2
Implementation of PSD2
Conclusions
Research Sources
4
5
6
8
9
10
Table of Contents
4
Introduction
On October 8th, the European Parliament
adopted the revised Directive on Payment
Services, also known as PSD2(1).The new
directive, which is the long awaited successor
of the first Payment Services Directive from
2007, aims to harmonize the European
retail payments market, which is very much
fragmented along national borders, and foster
the adoption of innovative, easy-to-use and
secure payment schemes.
In this article I will provide an overview of
the requirements of PSD2 regarding the
authentication of consumers involved in a
payment, which was a topic generating lots of
discussions among members of the European
Parliament during the past years.
5
What happened previously
PSD2 is the latest development in a series
of European regulatory initiatives aimed at
securing Internet payments. These initiatives
intend to combat Card-Not-Present (CNP)
fraud and increase the confidence of European
citizens regarding e-commerce, e-banking and
other online activities.
In January 2013, the SecuRe Pay forum of
the European Central Bank (ECB) published
its final recommendations(2) for the security of
Internet payments. In February 2014, SecuRe
Pay also published an assessment guide(3) to
help regulatory authorities apply the ECB’s
recommendations.
In order to provide a more solid legal basis to
the ECB’s recommendations, in December
2014 the European Banking Authority (EBA)
published its final guidelines(4) on the security
of Internet payments, which are almost
identical to the ECB’s recommendations.
Since the negotiations for the PSD2 were still
ongoing a two-step approach was chosen
for the implementation of the EBA guidelines:
immediate implementation as of August 1st
2015, followed by an upgrade with the more
stringent regulations derived from the PSD2. On
May 21st 2015, the EBA published the list of
European national authorities that intended to
enforce the guidelines.
EBA Upgrade
6
Strong customer authentication under PSD2
PSD2 uses the same definition of “strong
customer authentication” as the EBA
guidelines, which is based on the traditional
concept of two-factor authentication. “Strong
customer authentication” is defined as “an
authentication based on the use of two or more
elements categorised as knowledge (something
only the user knows), possession (something
only the user possesses) and inherence
(something the user is) that are independent, in
that the breach of one does not compromise
the reliability of the others, and is designed in
such a way as to protect the confidentiality of
the authentication data”.
Under article 97(1) of PSD2, Payment Service
Providers (PSPs) must apply “strong customer
authentication where the payer:(a) accesses
its payment account online; (b) initiates an
electronic payment transaction; [or] (c) carries
out any action, through a remote channel,
which may imply a risk of payment fraud or
other abuses”.
So far this is very similar to the EBA guidelines.
However, article 97(2) of PSD2 goes a
step further for “electronic remote payment
transactions”, which includes all transactions
over the Internet. For such transactions,
7
Strong Authentication
Payment Service Providers must apply strong customer
authentication that includes “elements which dynamically
link the transaction to a specific amount and a specific
payee”. This could also be referred to as strong payment
authentication.
Draft regulatory technical standards will be developed
by the EBA and submitted to the European Commission
that will specify:
“(a) the requirements of the strong customer
authentication;
(b) the exemptions to the application of [strong customer
authentication];
(c) the requirements with which security measures have
to comply […] in order to protect the confidentiality and
the integrity of the payment service users’ personalised
security credentials; and
(d) the requirements for common and secure open
standards of communication for the purpose of
identification, authentication, notification, and information,
as well as for implementation of security measures […]”.
8
PSD2 Guidelines
Implementation of PSD2
Following the European Parliament’s vote, PSD2 still needs
to be formally adopted by the EU Council of Ministers,
which will happen in late 2015. Afterwards the Directive will
be published in the Official Journal of the EU. EU Member
States will then have two years to introduce the necessary
changes in their national laws in order to comply with the
new rules. Hence PSD2 is expected to come into effect in
late 2017.
However, a different adoption schedule applies to the
requirements regarding strong customer authentication.
PSD2 tasks the EBA with the development of technical
standards for strong customer authentication. The EBA
must submit the draft technical standards to the European
Commission not later than 12 months after PSD2 comes
into effect. The standards will come into effect 18 months
after their adoption by the European Commission. As
a consequence, the standards for strong customer
authentication will come into effect about 30 months or 2.5
years after PSD2, hence in 2020.
The EBA guidelines remain applicable as an interim solution,
until PSD2 comes into effect.
9
The arrival of PSD2 is good news for the
harmonization of Internet payment security
across Europe. Contrary to the EBA guidelines,
national regulatory authorities cannot opt out
from PSD2, as it will be translated into national
law by the EU Member States. This means also
countries such as the UK, who opted out from
the EBA guidelines, will be subject to PSD2
and its requirements regarding strong customer
authentication.
Strong customer authentication is an important
component of the new retail payment market
envisioned by the European legislators.
Although strong payment authentication is
already common practice in online banking
services in many European countries, it may
present a significant step for e-commerce
services and may impact the check-out
processes of e-commerce merchants. Hence
e-commerce merchants will need to find
secure but also convenient authentication
mechanisms.
More details about the precise requirements
and standards regarding strong customer
authentication can be expected in 3 to 4.5
years. Taking into account that Payment Service
Providers in most EU Member States already
have to comply with the very similar EBA
guidelines since August 1st of this year, these
additional standards seem to come rather late.
Finally, it remains to be seen how PSD2, which
heavily focuses on the authentication aspects
of payments, will integrate with the EBA
guidelines. The security requirements put forth
in the EBA guidelines have a broader scope
than authentication, and also focus on security
requirements such as the need for transaction
monitoring and customer education.
Conclusion
10
About Frederik Mennes
Frederik heads VASCO’s Security Competence Center, working on the security aspects of VASCO’s products and infrastructure. He is a regular speaker at industry events and conferences about security technology, and a contributor to the Initiative for Open Authentication (OATH).
Besides his role at VASCO, Frederik has supported the Information Security Group (ISG) at Royal Holloway, University of London in various educational roles. He earned an MBA from Vlerick Business School (Belgium), an M.Sc. in Information Security from Royal Holloway, University of London, and an M.Sc. in Computer Science Engineering from KU Leuven, Belgium.
Follow Frederik on Twitter (@FMennes) or connect on LinkedIn.
(1) http://ec.europa.eu/finance/payments/framework/index_en.htm
(2) https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf
(3) http://www.ecb.europa.eu/pub/pdf/other/assessmentguidesecurityinternetpayments201402en.pdf
(4) https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+%28Guidelines+on+the+security+of+internet+payments%29_Rev1
Research Sources
About VASCO
VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets.
Learn more about VASCO at www.vasco.com or visit blog.vasco.com