The European Banking Authority (EBA) has published its ‘final’ draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and secure communication under PSD2. PSD2 and, particularly, the SCA aspect can dramatically change the payments sector and the broader banking market. It has been the subject of heated discussions and aggressive lobbying.
Therefore, the market has been waiting to view and digest the finalized standards with bated breath. The final RTS clarifies several ambiguities in the draft version and covers a great deal of ground. However, like a Christopher Nolan movie, it still leaves you hanging with unanswered questions at the end.
With the document standing at more than 150 pages, it can be difficult to identify the major points and key changes. To help, here’s a distillation of the paper, covering 10 points we believe the market needs to heed:
1. Banks to define their own interfaces
The RTS does not provide definitions of the interfaces needed. Luckily, some industry groups (e.g., Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. Of course, it’s up to the banks to define their interfaces, but at least they will have some de-facto standards on which to base them on.2.
2. APIs, not screen-scraping
Rationale 32 says that screen scraping will no longer be allowed, but something that looks a lot like screen scraping is still allowed. TPPs using this interface must digitally sign the messages to identify themselves, which is at least a step forward; however, other security holes associated with screen-scraping remain. If a bank provides a dedicated (API) interface, TPPs must use it.
3. Payment security is up to the banks
It is up to the bank to authenticate their customer. Recital 14 now says that PIS Providers have the right to rely on the authentication procedures provided by the bank; there is no right in the opposite direction. Therefore, PISPs (payments initiative service providers) must pass control to the bank to authenticate the customer – the PISP can’t apply its own authentication and then tell the bank just to do it.
4. Authentication codes
Article 4.1 says that The authentication code shall be accepted only once. This is fine for single payment initiation, but the RTS allows TPPs to initiate a series of payments and retrieve account information, with SCA applied only the first time. Presumably, the original authorization code must be presented for all subsequent accesses, but this is not compatible with only one provision in 4.1.
The authentication code has to be dynamically linked to the transaction details for payment transactions. There’s a possible gap because the amount and payee are dynamically linked, but not the payment reference. In cases where the reference determines the beneficiary, such as credit card payments, this could become a security vulnerability.
5. Exemptions from strong customer authentication
This is the area of the RTS that has changed most and has become more practical. Changes include:
- For contactless card payments, the single-transaction value has been raised to €50. The option to count five consecutive non-SCA transactions has been added to balance the previous impractical requirement just to accumulate payment values.
- A vital exemption has been added for unattended transport, and parking terminals have helpfully been included.
- No SCA is required for payments to trusted beneficiaries. Comment 79 also clarifies, The exemption for trusted beneficiaries only applies to payment transactions made on an online account by the payer. The PISP cannot create a list of trusted beneficiaries.
- The low-value payment exemption has been raised from €10 to €30, with a cumulative value of €100 or a cumulative count of five, aligned to the contactless exemption.
6. Real-time fraud detection and prevention
Whereas the previous draft mandated real-time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high-risk transactions being blocked for suspected fraud and low-risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures.
7. Sensitive payment data
The final draft still says that ASPSPs (account servicing payment service providers), effectively banks, must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, provided that this information does not include the display of sensitive payment data. Sensitive is still not defined, leaving it to the bank to decide what to redact.
8. Use of eIDAS authorities
The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (or qualified certificates for electronic seals or website authentication, as the regulation would have it) issued under Regulation 910/2014, aka eIDAS. Given the extended timeline for enforcement of the RTS – November 2018 being the earliest date, with serious discussion of April 2019 – there is still time for organizations to step up and put the required infrastructure in place to move eIDAS from dream to reality.
9. Card-not-present requires strong customer authentication
Unless a card transaction falls under one of the exemptions, it must go through SCA. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves possession, which along with knowledge satisfies the ‘two-factor’ requirement. It looks like 3D-Secure 2.0 will be sufficient to allow SCA exemptions to be applied, but if the transaction is not exempt, it’s up to the issuer to drive the SCA process.
10. Trusted execution environments for multi-purpose devices
The previous draft specified that multi-purpose devices (mobile phones and the like) used a Trusted Execution Environment (TEE) for security. TEE is a well-defined, tried, and tested standard, but it seems the EBA has caved in to pressure from organizations lobbying for non-standard (and in some cases, less secure) solutions. The RTS now mandates a ‘Secure Execution Environment,’ which has no current industry definition, so mobile security effectively becomes a free for all again. Caveat emptor!
What next?
The RTS has yet to be adopted by the European Commission, so there is still an opportunity for lobbying by member states, industry groups, and organizations. Be that as it may, it’s clear that no further significant clarifications will be forthcoming from the EBA. So it’s now up to banks, TPPs, and other payment service providers to get on with implementation, guided by national authorities, industry groups, compliance officers, and technology experts. The access to account services specified in PSD2 Articles 65-67 have to be available from January 2018, and even though the security and communications standards in the RTS do not become mandatory until the end of the transitional period, there’s sufficient clarity to start moving in that direction before the mandate.
To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.
Keep reading
Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity.
In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.
Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.