The EU Payment Service Directive (PSD2), coming into force in 2018, opens the door for third party service providers (a.k.a, Payment Service Providers – PSPs) to access and manage bank accounts, subject to user permission, with the goal of facilitating innovative solutions, improve and reduce the cost of transactions and services.
Under such a scenario a major concern is security and trust: a bank account owner is supposed to grant other players access to her own bank account and pay bills and it will also include peer-to-peer transactions. If not done correctly and with all the necessary warranties, PSD2 risks to fail and not to be accepted by the market.
There will be a cost for the additional security: among other measures strong authentication needs to be implemented. In this article LuxTrust has analysed the issues around this particular but crucial aspect.
PSD2 second channel - Statement of understanding*
To promote the principles of technology neutrality and future proofing of the Regulatory Technical Standards (RTS), the draft version of PSD2 RTS, as issued by the European Banking Association, no longer explicitly mentions the use of a second channel anymore.
The Payment Services Providers (PSPs) are thus free to use a second channel or not, provided the risk of the man in the browser is taken into consideration. However, the security objectives requiring the mitigation of such risk are therefore still present in the RTS. Relevant RTS requirements are described in the following excerpts:
c) the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the payee agreed to by the payer. Any change to the amount or the payee shall result in the invalidation of the authentication code generated.
For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:
a) the amount of the transaction and the payee through all phases of authentication;
b) the information displayed to the payer through all phases of authentication including generation, transmission and use of the authentication code.
As soon as a PSP has to apply the Strong Customer Authentication (SCA) with dynamic linking, i.e. as long as it cannot benefit of the possible exemptions, the PSP is always required to comply with Article 5 of the RTS. Note that articles 16 and 17 relate to the use of exemptions, not to the use of SCA.
LuxTrust PSD2 solutions: the LuxTrust Mobile app and LuxTrust Scan
The LuxTrust Scan, a specific token-generating hardware device, is compliant with PSD2 RTS Strong Customer Authentication and dynamic linking requirements. When correctly implemented on the customer’s side, the solution fulfills the requirements of Article 5.2.
The LuxTrust Mobile app, a token-generating software application available on iOS and Android, is compliant with PSD2 RTS Strong Customer Authentication and dynamic linking requirements. When correctly implemented on the customer’s side, the solution fulfills the requirements of Articles 9.2 and 9.3:
Where any of the elements of strong customer authentication or the authentication code is used through a multi-purpose device including mobile phones and tablets, payment service providers shall adopt security measures to mitigate the risk resulting from the multi-purpose device being compromised.
For the purposes of paragraph 2, the mitigating measures shall include each of the following:
a) the use of separated secure execution environments through the software installed inside the multi-purpose device;
b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party or mechanisms to mitigate the consequences of such alteration where this has taken place.
*Disclaimer: The above represents LuxTrust understanding of the relevant regulation and should not be taken, relied on or interpreted as a legal opinion. Customers are encouraged to seek independent legal advice before acting on this information.