7 PSD2 questions every CISO should be prepared to answer

The revised Payment Services Directive (PSD2) has come into effect in the European Union last year, adding new requirements for financial institutions, payment services providers and merchants who do business in the shared market. But it could also have an impact on businesses based outside the EU, so here are five questions that every CISO should be able to answer about this law.

1. What is the PSD2?

The PSD2 is legislation that regulates the payment services market across the European Economic Area (EEA: the EU member states plus Iceland, Liechtenstein and Norway). It was adopted by the European Parliament in 2015 and went into effect in September 2019, though the enforcement of new transaction security requirements has been delayed.

The legislation is an overhaul of the original 2007 Payment Services Directive and its goals are to reduce online card fraud by enforcing stricter transaction authentication requirements, to regulate the FinTech industry and make the payments market more competitive by forcing banks to share customer account data and to increase consumer protections by reducing their liability for unauthorized payments. It also forces member states to designate national authorities that will handle complaints related to payment services.

2. Does the PSD2 impact your company?

The PSD2 directly impacts banks and other financial institutions that hold customer accounts, third-party payment services providers, FinTech companies that offer payment initiation services or account information aggregation services and, ultimately, online merchants.

Merchants in particular must ensure that their banks or payment processors support the new strong customer authentication (SCA) requirements for online transactions. Otherwise they risk losing sales as card issuers are forced to reject non-compliant transactions or face liability.

The new authentication requirements apply to transactions where both the card issuer and the acquirer are located within the EEA, but they also extend to so-called “one-leg out” transactions where the merchant is not based in the EEA but the funds are processed through an acquirer in the EEA. In those cases, the EEA part of the transaction will be subject to SCA.

For example, if a non-EEA merchant uses an EEA-based payment services provider (PSP) to process transactions from European customers, or the PSP uses a clearing account of one of its entities based in the EU, then SCA applies.

3. What are the SCA requirements?

The PSD2 requires card-not-present transactions to be authorized with multi-factor authentication, which means that in practice, consumers will no longer be able to perform online transactions by using only the information printed on their cards. Online payments will require the use of two or more factors: knowledge (something only the user knows), possession (something only the user has) and inherence (something the user is).

The European Banking Authority has clarified what are the acceptable knowledge, possession and inherence factors and it is expected that a large majority of implementations will involve the use of mobile phones for out-of-band transaction authorization. For example, every time an online card transaction is performed, the bank app installed on the user’s phone will ask the user to authorize the transaction by using their fingerprint or some other acceptable method.

There are also exemptions to SCA for low-value transactions that don’t exceed 30 euros, recurring transactions to the same recipient with the same amount which are typical for subscription-type services, transactions to recipients that have been whitelisted by the customer and transactions above 30 euros to payment services providers that use risk fraud analysis and can prove a sufficiently low fraud rate.

4. Are the SCA requirements already in effect?

The SCA requirements technically went into effect on September 14, but the European Banking Authority (EBA) allowed national authorities to delay enforcement and give more time to payment services providers because not all of them were ready. In October, EBA communicated a deadline of December 31, 2020, for when all payment services providers should complete SCA adoption, including implementation and testing by merchants.

“The opinion recommends that, where required, NCAs [national competent authorities] communicate to PSPs [payment service providers] in their jurisdiction that the supervisory flexibility they have exercised does not represent a delay in the application date of the SCA requirements in PSD2 and the EBA’s Technical Standards,” the EBA said. “Rather, it means that NCAs will focus on monitoring migration plans instead of pursuing immediate enforcement actions against PSPs that are not compliant with the SCA requirements.”

EBA notes that merchants would have preferred an 18-month delay which would coincide with the planned roll-out of the 3-D Secure (3DS) v2.2 communications protocol developed by the card brands. This version of the protocol has support for the SCA exemptions and will therefore allow PSPs and merchants to avoid a larger number of their transactions being challenged by card issuers and therefore reduce the checkout friction for customers. However, the EBA noted that the exemptions have been communicated since February 2017, so the industry had enough time to prepare.

5. What are the open banking requirements?

Under the PSD2, banks and account holding institutions are required to allow third-party services to initiate payments and access data from customer accounts, if those customers give their consent. This requirement is meant to break the banks’ monopoly on customer account information and to allow for increased competition and innovation in the FinTech space.

The FinTech companies will also be able to obtain licenses that are valid across the EEA and be subject to uniform regulations instead of having to deal with multiple national jurisdictions. The goal is to create a level playing field between established banking institutions and new entrants in the market.

This also means that merchants will be able to offer more payment options to customers that don’t involve the use of payment cards. For example, a customer might choose to pay directly through a payment initiation service provider (PISP) they already approved to access to their accounts.

Most of the financial institutions are opting to implement the new account access requirements through APIs although there’s not yet a generally accepted standard.

6. Will PSD2 impact markets outside the EEA?

Experts believe that even though the SCA requirements won’t directly impact other markets — with the exception of non-EEA merchants that also do business in Europe — card brands will still push for the global roll-out of 3DS version 2 (3DS2) and banks in other jurisdictions will adopt it because of market pressure and a need to remain competitive. As such, it’s likely that similar levels of online transaction security will be widely available in other countries even if they’re not mandated by regulations. Merchants might also want to have a uniform experience for all their customers regardless of where they are located

7. What are the biggest impacts of PSD2 on security?

PSD2 can have a positive impact on online banking security, thanks to new the SCA requirements, but it might also affect security negatively if the implementation of account access APIs is not done securely and in a uniform manner.

History has shown that even with widely used standards for access delegation, such as OAuth and OpenID Connect, implementation issues are common and they often lead to account hijacking. Just this month, a security researcher was awarded $55,000 for finding and reporting a flaw in Facebook’s OAuth implementation.

Granting multiple third parties access to an account inherently increases risk because the entry points available to the attackers also increase. Attacks against APIs are attractive to hackers because they can more easily automate attacks against them compared to web login forms. The very purpose of APIs is to simplify and automate communication between applications. Over the past two years, content delivery and security company Akamai observed a big increase in API-based attacks, especially against the financial industry.

As far as transaction security goes, PSD2 is expected to have a big impact in reducing card-not-present fraud in Europe, but there’s a risk that fraud could migrate to other jurisdictions with lower levels of transaction security. That’s why experts are hopeful the US and other countries will follow suit in adopting 3DS2 and SCA-like requirements, which should be a much smoother process than the deployment of chip-and-PIN cards.

“SCA has an opportunity to enable the US to step forward into the secure digital age, having been a market laggard – the implementation of PINs only reached the market in the last 2 years,” James Stickland, CEO of identity and authentication management company Veridium, tells CSO. “Now that point of sale devices are enabled and online payment systems can accept the step up authentication of SCA, the US has the chance to bring a great user experience alongside secure transactions. Implementing biometrics is widely regarded as the go to choice of technology to tackle the ever-rising fraud faced by all merchants and payment service providers, whilst delivering a seamless user journey.”