What is PSD2?

The second Payment Services Directive, more commonly known as PSD2,  is legislation that entered into application in January 2018 with the main goal to modernize and unify payment services across the European Union and The European Economic Area.  This legislation replaced the first  Payment Services directive to provide the level-playing field for all payment service providers, including banks that hold consumers’ accounts and third-party providers that have access to a consumers’ account but are not the account service provider. At the same time, PSD2 ensures the development of more secure and innovative electronic payments and better consumer protection. Specifically, to guarantee better protection of consumers when they make electronic payments or transactions, PSD2 introduces strict authentication requirements for accessing consumers’ payment accounts, as well as for making payments online.

How does PSD2 ensure the implementation of authentication requirements?

PSD2 introduces general principles for the safe and secure initiation and processing of online and mobile payments as so-called Strong Customer Authentication, also known as SCA, requirements. These Strong Customer Authentication requirements obligate all payment service providers, including banks and third-party financial service providers, to validate the identity of the user in a strict manner when a payer accesses its payment account online, initiates an electronic payment transaction, and carries out any action through a remote channel that may imply a risk of payment fraud or other threats. Also, PSD2 introduces Regulatory Technical Standards on Strong Customer Authentication, commonly known as RTS on SCA, which are concrete specific authentication measures only addressed through general objectives in PSD2 to ensure consumer protection by increasing levels of security of e-payments. In other words, payment service providers comply with PSD2 authentication objectives through the adoption of RTS on SCA requirements.

What are specific PSD2 authentication requirements defined in RTS?

PSD2 authentication requirements defined in RTS on SCA demand the adoption of certain security elements that payment service providers must observe when consumers process payments or provide payment-related services to prevent financial fraud and theft.  More specifically, RTS on SCA  describes the authentication process that validates the identity of the user of a payment service or the payment transaction based on at least two of the following elements, categorized as:

  • knowledge, or, to put it simpler, something that the only consumer knows, for instance, PIN, password, knowledge-based challenge questions, etc.;
  • possession, or simply just something that the only consumer owns, such as token, smartphone, etc.;
  • inheritance, or something the consumer is, for example, fingerprint, facial or voice recognition, iris scanning, or other biometrics.

These multi-factor authentication requirements aim to reduce the risk of fraud for e-payments, protect the confidentiality of the consumers’ financial and personal data, increase the security of electronic payments and consumers’ confidence when making payments online. Also, RTS  allows a few exemptions from the PSD2 authentication objectives for specific cases that are based on the transactional amount, risk of fraud, reliability of payee, and other features. These exemptions aim to avoid disrupting the ways consumers, merchants, and payment service providers operate to ensure the best consumer experience. Also, RTS clearly defines that payment service providers, who wish to be exempted from SCA,  must first apply specific mechanisms for monitoring payments transactions to assess if the risk of fraud is low to ensure the safety of consumers’ data. For exemptions and further enhancement of security, PSD2 RTS also describes other authentication mechanisms that are safe and secure.  Under PSD2, to validate that a transaction is made by the actual owner of the account and not the fraudster, payment service providers are obligated to use dynamic linking via a one-time password, the online transaction to its amount, and the merchant of the payment. Find out more about PSD2 authentication: https://nordigen.com/en/psd2/authentication/