Given the influx of fintech startups in the modern world, the role of banking institutions is shifting from being a single point of service toward becoming more of a platform. The revised Payment Service Directive (PSD2) is a big step toward these changes.
The newcomers to the financial market can essentially be divided into two categories:
- Account Information Service Providers (AISPs) offer systems that display your balance, transactions, etc. from your bank. An AISP cannot make changes to your accounts or process transactions.
- Payment Initiation Service Providers (PISPs) offer systems that can perform credit transfers on the user’s behalf.
The greatest challenge here is to create a safe means of communication between all these parties. The good news for the users is that § 73 of PSD2 protects their rights:“[…]in the case of an unauthorised payment transaction, the payer’s payment service provider refunds the payer the amount of the unauthorised payment transaction immediately, and in any event no later than by the end of the following business day, after noting or being notified of the transaction.”
The same applies when an unauthorized transaction is done via PISP. The Account Servicing Payment Service Provider (AS-PSP, usually a bank) compensates the loss under the same conditions.
Whether or not the PISP compensates these losses to the AS-PSP (bank) later depends on the authentication scheme in use. Two options are possible: the PISP can rely on credentials issued by the AS-PSP, or it can issue its own security credentials.
We doubt the second option will be popular, since according to § 72(1), the burden is on the PISP to prove that, within its sphere of competence, the payment transaction was authenticated, accurately recorded and not affected by a technical breakdown or other deficiency linked to the payment service of which it is in charge. The effort involved in proving this could be significant; in any case, there is no reason to go through it at all, as the Directive welcomes third-party providers of Strong Customer Authentication, like Protectimus.
No one wants to pay for fraud. That’s why Strong Customer Authentication (SCA) is so important in light of PSD2. § 98 directly calls for the development of Regulatory Technical Standards (RTSes): “[the] EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, develop draft regulatory technical standards addressed to payment service providers.”
The EBA has done this work and we now have a final draft of the Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2).
In short, the RTS sets out requirements for how and when to apply two-factor or multifactor authentication while ensuring technology and vendor neutrality.
The highlighted trends:
- multifactor authentication;
- segregation of channels and security credentials;
- simplifying the execution of low-risk transactions, like parking or transportation fees;
- transaction data signing, like CWYS (Confirm What You See) from Protectimus.
For now, it turns out that SCA providers are the cornerstones of all PSD2 infrastructure. Choosing a multifactor authentication provider whose services meet all PSD2 and RTS requirements is a complicated, important task, so we decided to help our customers by preparing a short checklist to evaluate possible solutions. You can download it here.