09 June 2018
Open banking requires enhanced security such as Strong Customer Authentication
In general, there are three factors to identify yourself when making an electronic payment: something that you know (such as a PIN code), something that you possess (such as a telephone) and something that you are (such as a physical characteristic). Under PSD2, the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) requires that one’s identity has to be verified by at least two of these three independent options in order to perform a payment. What is SCA and why is it necessary for banks to enhance their security?
The main objectives of PSD2 are to:
- Contribute to a more integrated and efficient European payments market.
- Improve the level playing field for payment service providers (including new players).
- Make payments safer and more secure.
- Protect consumers.
PSD2 is designed to better align the different players in the payment sector, the market and modern technologies. Banks become Account Servicing Payment Service Providers (ASPSP) to which third parties, such as Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs), can connect their services. Banks’ infrastructures will be opened up to external parties, but the more parties gain access to account information, the higher the demand for controlled access will be. In order to regulate the digital exchange of personal data between these parties, the European Banking Authority (EBA) established the Regulatory Technical Standards (RTS).
The RTS sets out the responsibilities and obligations to be met by all stakeholders in the payment sector, including Strong Customer Authentication (SCA), Secured Communication, Risk Management and Transaction Risk Analysis (TRA). The RTS on Strong Customer Authentication are designed to standardize data security policies and improve adoption of strong customer authentication processes to ensure that whatever the customer payment journey, their information is protected and the risk of fraud is minimized at every point. The final version of this Directive has been published recently in the Official Journal of the European Union and will become effective on 14 September 2019. This means that the payment industry, and banks in particular, still has about 17 months to meet these higher security standards.
One of the ways to increase the security of electronic payments is through SCA. There are three scenarios in which SCA has to be applied:
- When a customer – individual or corporate – accesses their payment account online.
- When making an electronic payment.
- When carrying out any action through a remote channel which may imply a risk of payment fraud or other abuses.
SCA under PSD2 requires a combination of at least two factors to identify yourself. This combination creates a unique authentication code which dynamically links the transaction to a specific amount and a specific payee (for remote internet and mobile payments).
These measures are necessary to protect the consumer, but at the same time PSD2 obliges banks to offer a smooth user experience. This means that the security measures need to be compatible with the level of risk involved in the payment service, in such a way that the right balance is struck between security and ease of use. In order to ease the process, the RTS contains some exceptions when SCA does not need to be applied. This concerns in particular small transactions, repeated payments and payments to trusted parties.
The responsibility for applying SCA lies with the banks. This means that it is up to them to comply with these new rules. At the same time, they are obliged to ensure that their authentication services are fully resilient, and to provide a backup user interface for TPPs in order to prevent any downtime and the resulting impact on customers. The biggest challenge, however, is that banks should consider what all of this entails for their resources, costs, customer experience and brand reputation. They should weigh up all the options to achieve compliance whilst protecting relationships.
Banks must consider which authentication methods will provide the best user experience based on a variety of factors, including customer familiarity and convenience, as well as how they can be delivered in line with the requirements of the RTS. The most important element to achieve this is trust. Read the latest white paper ‘How banks can build trust in a PSD2 world‘ for more information on the challenges posed by Strong Customer Authentication, and how banks can go beyond simple compliance to gain trust and create a smooth experience for all users.