Industry BriefingStrong authentication of Internet Payments in Europe - the new PSD2

Copyright

© 2015 VASCO Data Security. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc.

Trademarks

MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks’ proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.

Introduction

What happened previously

Strong customer authentication under PSD2

Implementation of PSD2

Conclusions

Research Sources

4

5

6

8

9

10

Table of Contents

4

Introduction

On October 8th, the European Parliament

adopted the revised Directive on Payment

Services, also known as PSD2(1).The new

directive, which is the long awaited successor

of the first Payment Services Directive from

2007, aims to harmonize the European

retail payments market, which is very much

fragmented along national borders, and foster

the adoption of innovative, easy-to-use and

secure payment schemes.

In this article I will provide an overview of

the requirements of PSD2 regarding the

authentication of consumers involved in a

payment, which was a topic generating lots of

discussions among members of the European

Parliament during the past years.

5

What happened previously

PSD2 is the latest development in a series

of European regulatory initiatives aimed at

securing Internet payments. These initiatives

intend to combat Card-Not-Present (CNP)

fraud and increase the confidence of European

citizens regarding e-commerce, e-banking and

other online activities.

In January 2013, the SecuRe Pay forum of

the European Central Bank (ECB) published

its final recommendations(2) for the security of

Internet payments. In February 2014, SecuRe

Pay also published an assessment guide(3) to

help regulatory authorities apply the ECB’s

recommendations.

In order to provide a more solid legal basis to

the ECB’s recommendations, in December

2014 the European Banking Authority (EBA)

published its final guidelines(4) on the security

of Internet payments, which are almost

identical to the ECB’s recommendations.

Since the negotiations for the PSD2 were still

ongoing a two-step approach was chosen

for the implementation of the EBA guidelines:

immediate implementation as of August 1st

2015, followed by an upgrade with the more

stringent regulations derived from the PSD2. On

May 21st 2015, the EBA published the list of

European national authorities that intended to

enforce the guidelines.

EBA Upgrade

6

Strong customer authentication under PSD2

PSD2 uses the same definition of “strong

customer authentication” as the EBA

guidelines, which is based on the traditional

concept of two-factor authentication. “Strong

customer authentication” is defined as “an

authentication based on the use of two or more

elements categorised as knowledge (something

only the user knows), possession (something

only the user possesses) and inherence

(something the user is) that are independent, in

that the breach of one does not compromise

the reliability of the others, and is designed in

such a way as to protect the confidentiality of

the authentication data”.

Under article 97(1) of PSD2, Payment Service

Providers (PSPs) must apply “strong customer

authentication where the payer:(a) accesses

its payment account online; (b) initiates an

electronic payment transaction; [or] (c) carries

out any action, through a remote channel,

which may imply a risk of payment fraud or

other abuses”.

So far this is very similar to the EBA guidelines.

However, article 97(2) of PSD2 goes a

step further for “electronic remote payment

transactions”, which includes all transactions

over the Internet. For such transactions,

7

Strong Authentication

Payment Service Providers must apply strong customer

authentication that includes “elements which dynamically

link the transaction to a specific amount and a specific

payee”. This could also be referred to as strong payment

authentication.

Draft regulatory technical standards will be developed

by the EBA and submitted to the European Commission

that will specify:

“(a) the requirements of the strong customer

authentication;

(b) the exemptions to the application of [strong customer

authentication];

(c) the requirements with which security measures have

to comply […] in order to protect the confidentiality and

the integrity of the payment service users’ personalised

security credentials; and

(d) the requirements for common and secure open

standards of communication for the purpose of

identification, authentication, notification, and information,

as well as for implementation of security measures […]”.

8

PSD2 Guidelines

Implementation of PSD2

Following the European Parliament’s vote, PSD2 still needs

to be formally adopted by the EU Council of Ministers,

which will happen in late 2015. Afterwards the Directive will

be published in the Official Journal of the EU. EU Member

States will then have two years to introduce the necessary

changes in their national laws in order to comply with the

new rules. Hence PSD2 is expected to come into effect in

late 2017.

However, a different adoption schedule applies to the

requirements regarding strong customer authentication.

PSD2 tasks the EBA with the development of technical

standards for strong customer authentication. The EBA

must submit the draft technical standards to the European

Commission not later than 12 months after PSD2 comes

into effect. The standards will come into effect 18 months

after their adoption by the European Commission. As

a consequence, the standards for strong customer

authentication will come into effect about 30 months or 2.5

years after PSD2, hence in 2020.

The EBA guidelines remain applicable as an interim solution,

until PSD2 comes into effect.

9

The arrival of PSD2 is good news for the

harmonization of Internet payment security

across Europe. Contrary to the EBA guidelines,

national regulatory authorities cannot opt out

from PSD2, as it will be translated into national

law by the EU Member States. This means also

countries such as the UK, who opted out from

the EBA guidelines, will be subject to PSD2

and its requirements regarding strong customer

authentication.

Strong customer authentication is an important

component of the new retail payment market

envisioned by the European legislators.

Although strong payment authentication is

already common practice in online banking

services in many European countries, it may

present a significant step for e-commerce

services and may impact the check-out

processes of e-commerce merchants. Hence

e-commerce merchants will need to find

secure but also convenient authentication

mechanisms.

More details about the precise requirements

and standards regarding strong customer

authentication can be expected in 3 to 4.5

years. Taking into account that Payment Service

Providers in most EU Member States already

have to comply with the very similar EBA

guidelines since August 1st of this year, these

additional standards seem to come rather late.

Finally, it remains to be seen how PSD2, which

heavily focuses on the authentication aspects

of payments, will integrate with the EBA

guidelines. The security requirements put forth

in the EBA guidelines have a broader scope

than authentication, and also focus on security

requirements such as the need for transaction

monitoring and customer education.

Conclusion

10

About Frederik Mennes

Frederik heads VASCO’s Security Competence Center, working on the security aspects of VASCO’s products and infrastructure. He is a regular speaker at industry events and conferences about security technology, and a contributor to the Initiative for Open Authentication (OATH).

Besides his role at VASCO, Frederik has supported the Information Security Group (ISG) at Royal Holloway, University of London in various educational roles. He earned an MBA from Vlerick Business School (Belgium), an M.Sc. in Information Security from Royal Holloway, University of London, and an M.Sc. in Computer Science Engineering from KU Leuven, Belgium.

Follow Frederik on Twitter (@FMennes) or connect on LinkedIn.

(1) http://ec.europa.eu/finance/payments/framework/index_en.htm

(2) https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf

(3) http://www.ecb.europa.eu/pub/pdf/other/assessmentguidesecurityinternetpayments201402en.pdf

(4) https://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+%28Guidelines+on+the+security+of+internet+payments%29_Rev1

Research Sources

About VASCO

VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets.

Learn more about VASCO at www.vasco.com or visit blog.vasco.com