The growing number of cyber-attacks and fraudulent activity in the financial services industry indicates a substantial need to improve methods of authorising electronic transactions, protect consumers against fraud and maintain customer trust. The rapid uptake of mobile payments has exposed a bigger attack surface for criminal activity and highlighted how the regulatory controls applied to these problems are not keeping pace with the technology.
PSD2 has been designed to tackle this. The aim of the directive is to enhance the security of internet payments and account access through the introduction of suitably robust security measures, including the use of strong customer authentication for digital payments.
As of January next year, the digital doors of the banking and finance sector will be well and truly flung open. The legislation will open up the sector to authorised third party providers wishing to get a bite of the banks' pie and regulate their involvement in the payments chain. In the near future, we'll see person-to-person (P2P) transfers or bill payments taking place over social media, and apps powered by third party providers that monitor customers' banking data across their accounts. These will even be able to use said information to offer financial advice.
What are the risks?
While the directive offers major benefits for the everyday consumer, this 'open banking' model arguably rings alarm bells. It's easy to see why security remains high on the industry agenda. For the first time in history, banks will be obligated to allow third party providers to take funds directly from consumers' accounts (with the customer's consent), something which is potentially risky. Open banking could expose sensitive, valuable customer data and payment infrastructure to malicious forces. To counter this, the regulations mapped out by PSD2 promise to boost the safety of online payments and reduce the risk of fraud.
The directive recognises the industry-wide notion that the password is no longer an adequate level of security to protect online services. Instead it mandates that all financial providers, be it a bank or a budding competitor, adhere to a new framework to manage risk and implement more appropriate security measures to protect consumers' data. This largely involves the adoption of 'Strong Customer Authentication' (SCA) methods by payment service providers (PSPs) for access to online accounts and the processing of electronic transactions. SCA methods involve consumers providing two or more factors: something you know (e.g. a password or PIN), something you have (for example a smartphone or token which produces a one-time password (OTP), and something you are (a unique biometric reading like a fingerprint or iris scan).
The trouble here, however, is that there is a level of uncertainty and confusion from businesses surrounding the term 'strong customer authentication' and related terms such as 'two-factor authentication' and 'multi-factor authentication.' It's also worth noting that not all two-factor authentication techniques are 'strong' or completely resilient; many existing solutions require enhancements in order to meet the stringent legislation covered in PSD2. For example, electronic tokens are widely used in tandem with usernames and passwords for online banking purposes. While they currently do the job – and the added variable of a token provides infinitely more security than just usernames and passwords alone – these authentication techniques are not necessarily deemed 'strong.' One-time passwords (OTPs) can be subjected to compromise and potential breach. You only need to look at the recent attacks on Santander customers where cybercriminals used a new text messaging scam known as 'smishing' to send text messages to customers pretending to be their bank and tricked them into generating an OTP to authorise a transaction rather than reverse it as they thought.
The PSD2 legislation will provide technical specifications into what exactly the 'strong' in 'strong customer authentication' should mean. However, it's fundamental for financial service providers to ensure they understand the basic terms being used, and what is mandatory when the legislation comes into force next year to ensure compliance and to guarantee the open banking model can happen without incident.
Convenience is key for PSD2 success
Making sense of the regulation is not the only concern for many financial service providers. SCA is certainly a big step in the right direction and a long-overdue solution to the security challenges that have burdened the industry for many years. But many are worried that implementing the high levels of security required by PSD2 will be at the expense of customer convenience, and over complicated security measures will cause them to stop using their services.
Striking a balance between security and consumer convenience in the payments world is the cornerstone to ensuring PSD2 success. Yet contrary to the popular belief about overburdening customers, in many cases the most secure and flexible 2FA and MFA solutions are also the most accessible to users. The technology is out there and is in the hands of consumers already. Today's smartphones offer a powerful solution which can provide the level of security needed to comply with PSD2 legislation. With almost limitless credential storage, they offer a cryptographic approach using what is known as public/private key encryption. A consumer's device holds the only copy of a unique key which can be used to 'sign' a transaction or verify access to an online account. Using their own devices means user experience is not hindered and overall security is increased to eliminate the need for passwords.
Fingerprint authentication is already being used by a number of providers for payments and service authentication. Other methods such as iris and facial recognition are also on the rise as the technology develops further. Many smartphones feature a Trusted Execution Environment (TEE) where sensitive information, such as a customer's biometric reading or online banking data, can be stored. This is a 'safe zone' within the device's processor where sensitive data can be protected without the risk of being compromised.
Ready or not
The revised Payment Services Directive (PSD2) is almost here. With the clock ticking and the final draft of the Regulatory Technical Standards now in place as of February this year, all players in the industry must be clear on the meaning of the terms set out by the directive and their role in implementing them. After the deadline there will be no excuse for those financial service providers that do not meet the requirements, whether they're a global bank or an independent fintech company. Smart players in the ecosystem will embrace SCA rather than fear its effect on customer experience, dispelling the myth that meeting PSD2 authentication requirements is incompatible with convenience. Ready or not, PSD2 is coming and businesses must ensure they're primed and ready.
Newsweek is hosting a 'Regtech and Identity' event in London in June with a panel on strong customer authentication.
Rory Gray is the PSD2 Initiative Director at Intercede.