PSD2 driving strong authentication to the payment ecosystem

The Payment Services Directive (PSD) has been in force in the UK since November 2009 with the sole purpose of regulating the payments industry and increasing consumer protection.

However, if we think back to 2009 – the year in which satellite navigation was implemented in smartphones, when the Apple Store had only just launched and when most phones had physical keyboards – and compare it to today, where we all communicate, play, shop and, especially, pay in very different ways, it is clear that PSD needed to be updated.

For this reason, the European Commission has revised the Directive and produced the PSD2, which adapts the provisions to encompass emerging and innovative payment services. Unlike just another regulation for banks to comply with, this Directive is one of the biggest technological innovations in retail banking. But what does this revision entail?

Here’s how the PSD2 will create a more level playing field in the European payment ecosystem:

  • Further standardising and making interoperable card, internet and mobile payments.
  • Reducing barriers to entry, in particular for card and internet payments.
  • Aligning charging and steering practices across the EU.
  • Ensuring consistent application of PSD2 across the EU.
  • Bringing emerging types of payment services within regulation.

The PSD2 Game Changers

One of the key elements of the Directive, which is solving an industry headache felt by more businesses than not, is the policy that allows third party access to consumers’ bank accounts; better known as Access to Accounts (XS2A).

With PSD2, when a consumer is making a purchase, the merchant (with the customer’s explicit consent) will be able to receive payment directly from the consumer’s bank, without any intermediaries. The direct connection between the merchant and the bank would be enabled using Application Programming Interfaces (APIs). APIs are a particularly exciting proposition as they will enable a direct connection to financial institutions, presenting opportunities for new and innovative players in the field.

The second big game changer brought about by the Directive is the introduction of Account Information Service Providers (AISPs) which consolidate information across multiple financial service providers (i.e. Mint.com in the US). This will allow consumers to view their various accounts, from different banks, in one secure portal.

Overall, PSD2 will have a positive impact on the industry but it is the consumers who will see the greatest benefits. The new Directive seeks to implement stronger authentication systems to offer consumers greater protections against card-not-present (CNP) fraud.

Payment Service Providers (PSPs) will be required to provide “strong consumer authentication”, defined as multi-factor authentication (with two or more independent factors), when payers access their accounts, initiate transactions or “carry out any action, through a remote channel, which may imply a risk of payment fraud or other abuses” [1].

A layered security system like this will ensure that a “breach of one [authentication factor] does not compromise the reliability of the others” and will “protect the confidentiality of the authentication data”[2].

For this reason, innovative authentication solutions, such as biometrics, security tokens, location or one-time passwords combined with PIN, will allow PSPs, PISPs, AISPs and other players in the field to ensure compliance with the new Directive, whilst offering their consumers the greatest levels of protection against fraud.

[1] European Comission

[2] European Comission