Get PSD2 ready with Finologee: strong customer authentication
One of the major implications of PSD2 is the focus on improving security in the payments space by emphasising Strong Customer Authentication (SCA). This article aims to provide some guidance to the Payment Service Providers (PSP) for an appropriate implementation of the European Banking Authority’s (EBA) legal requirements concerning SCA. As a part of its “PSD2 Compliance” product, Finologee not only offers three solutions for SCA, but also a SMS OTP based solution – which has recently been validated as a valid authentication factor by the EBA.
Taking into consideration the rapidly rising number of online operations (mainly related to access to payment accounts for online and electronic transactions), the second Payment Services Directive (PSD2) has reinforced the rules related to Payment Security. In this context, all Payment Service Providers and in particular banks or account servicing payment service providers (ASPSP) are required to implement Strong Customer Authentication (SCA) that include elements that dynamically link the transaction to a specific amount and a particular payee. In addition, as described in our previous article “PSD2 reporting requirements: Banks’ to-do list”, banks must also provide fraud and security-related incident reports to the regulators.
To be compliant with the SCA definition under PSD2, the authentication method available for the Payment Service User (PSU) must integrate, at least, the use of two (two-factor authentication) of the following three elements:
- Knowledge: a component which is only known by the PSU, such as password, PIN code or response to a security question;
- Possession: a device that only the PSU owns, such as a hardware token or a mobile phone;
- Inherence: something which is unique and linked to the PSU, such as finger print or facial recognition.
Furthermore, the concept of “dynamic linking” has been introduced to guarantee the integrity of transaction validation. This concept imposes that the payer must be made aware of the amount of the payment and of the payee during the authentication process. This is necessary to avoid any “man-in-the-middle attack” which could modify the details of the transaction.
Payment Service Providers can obtain further details on SCA and dynamic linking by consulting the chapter 2 of the final version of Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure open standards of communication (CSC). Additionally, the EBA has made public a Q&A tool on PSD2 and more explicitly on the SCA subject.
Finologee has built a state-of-the-art transactional and authentication/authorisation platform that handles interactions between banks and their counterparts in strict application of the revised payment service directive (PSD2) and its Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure open standards of communication (CSC) published in the Official Journal of the European Union, guaranteeing their partner banks full regulatory compliance in this new state of play.
As part of its “PSD2 Compliance” product, Finologee offers a ready-to-use platform for API access management of AISPs and PISPs, with an authentication and authorization stack. This module can support redirect SCA Approach using OAuth2/OIDC, Decoupled SCA Approach, Embedded SCA Approach without SCA method, Embedded SCA Approach with only one SCA method available, Embedded SCA Approach with selection of a SCA method. In view of this, Finologee can:
- Implement LuxTrust: mainly for local Luxembourg players. If the bank is using LuxTrust as an authentication method, no additional integration needs to be done. Finologee can connect directly to Orely and supports all authentication methods provided by LuxTrust.
- Connect to various third-party SCA protocols based on standards such as OAuth2, OpenID Connect, SAML2 or any proprietary protocol such as Vasco or RSA APIs.
In addition, thanks to Mpulse – Finologee’s sister company, operating Luxembourg’s central SMS payments and routing gateway since 2006 – Finologee can provide banks with a SMS OTP solution which is considered as an authentication factor by the EBA. Indeed, the EBA has recently clarified that “For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”. In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements.
In parallel, the RTS lists a series of exemptions for which the bank might decide not to apply strong customer authentication. These exemptions include payments for small amounts, parking or transport fares, payments to trusted beneficiaries or to a different account of the same user. Within Finologee’s PSD2 solution, rules on when exactly exemptions to SCA should be applied can be defined and customised on a per-bank basis.
Finally, to become PSD2 compliant, some banks have decided to completely change their customer authentication method. But before choosing such a drastic approach, a in-depth analysis of the SCA tool could be first performed to avoid any additional or unnecessary costs. Banks must also be aware of complementary and/or alternative solutions which could enrich their current SCA solution in order to fully fulfil RTS requirements.
As a FinTech player, Finologee is providing a PSD2 Compliance product and platform enabling any financial institution holding payment accounts to meet PSD2 technical requirements quickly and easily. PSD2 Compliance for Banks, its processes and flows have been designed and developed accordingly to match PSD2, RTS and related provisions and obligations. Finologee’s product encompasses the security layer and access to account rules relying and fully compliant with the EBA guidelines and the PSD2 directive (based on audit trails, statistics on TPP access).
Finologee has set up partnerships with consultancy firms to provide high quality and fully customisable regulatory reporting services tailored to its clients’ particular setups and requirements. PSD2 reporting requirements are indeed multi-dimensional, multi-context and need to tap into various sources and channels. Thus, adequate aggregation and customisation become a requirement. Both Finologee’s product and projects management plans take into account this specific need.