Strong Customer Authentication – some background
The regulatory framework for payment services is going to be fundamentally changed in the next years. The so called Payment Service Directive 2 (“PSD2”) was agreed and published on November 25th, 2015 and is going to be transposed into national laws by January 13th, 2018.
Note: Since PSD2 is a directive (and not a regulation) it requires transposition into national law before it becomes binding.
PSD2 provides for major changes in the current regulatory framework, which will have a massive impact on the payment industry.
One of the most important changes – and topic of this article – is an extensive obligation for Payment Service Provider (“PSPs”) to implement strong customer authentication (“SCA”). Due to these changes in the regulatory framework, PSPs will face new challenges. One of the key aspects in finding solutions to these challenges will be how the regulatory authorities, in particular the European Banking Authority (“EBA”), are going to interpret the new PSD2 requirements. The PSD2 has conferred 11 mandates on the EBA, one of which relates to the development, in close cooperation with the European Central Bank (ECB), of draft Regulatory Technical Standards (“RTS”) on strong customer authentication and secure and common communications (Article 98 of the PSD2). In order to receive early input into this work, the EBA published a Discussion Paper in December 2015, which received 118 responses from the market. Based on this feedback, the EBA developed draft RTS, published August 12, 2016 together with a Consultation Paper on the draft RTS asking the market again for feedback, which can be submitted on EBA’s consultation page by 12 October 2016.
With the resulting RTS the EBA aims at ensuring an appropriate level of security for consumers, as well as Payment Service Providers (PSP). The RTS propose the adoption of effective and risk-based requirements, which shall secure and maintain fair competition among all PSPs, and shall allow for the development of user-friendly, accessible and innovative means of payment.
This being said, we will provide an overview on what we currently know and what we don´t know yet about SCA under PSD2 in a short series of articles:
In this Part 1 we will provide a short overview on the regulations on SCA in PSD 2, including a short overview on the PSD2 definition of SCA and the cases in which it applies.
Part 2 will then focus on the statements of EBA on SCA under PSD2 in its Discussion Paper of December 8, 2015 and will summarize the responses of the relevant stakeholders in the market to this Discussion Paper.
Part 3 will analyze the Consultation Paper on the draft RTS that the EBA just published and provide a first overview of the draft RTS and how it influences the way to apply SCA.
1. What is SCA? Nothing completely new, but now it’s mandatory
First of all it is worth noting that PSD2 is based on a specific understanding of SCA, which partly differs from what one may consider the “normal” understanding of the term. Pursuant to Art 4 no. 30 PSD 2 SCA is an authentication that
a. is based on the use of two or more independent elements, categorized as
- Knowledge (such as a password or security question)
- Possession (such as a personal device, OTP token or ‘digi-pass’)
- Inherence (such as finger print, iris recognition, electrocardiogram),
b. ensures the elements are independent from one another, in that the breach of one does not compromise the reliability of the others, and
c. is designed in such a way as to protect the confidentiality of the authentication data.
In order to comply with SCA the payment service credentials can either be a valid combination of the chosen elements themselves or something which is only generated, when all elements have been provided.
In addition to these general requirements, Art. 97 (2) PSD2 provides for a specific requirement, if a payer initiates an electronic payment transaction. In such case SCA shall include elements dynamically linking the transaction to a specific amount and specific payee. While many solutions on the market already comply with these requirements (e.g. picture TAN with separate devices or reading devices with chipcard (Chip TAN) each PSP will need to review if the solutions it uses complies with these requirements.
In this regard it is particularly interesting that the way PSD2 defines SCA differs from the understanding the EBA has expressed in its SECUREPAY Guidelines as of December 19th 2014. While the SECUREPAY Guidelines required that at least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet, the PSD 2 definition of the term SCA does not include such a requirement anymore. On the other hand the “dynamic linking” requirement (cf. above) for electronic payment transactions has been newly introduced in PSD2, but is not required under the SECUREPAY Guidelines.
Note: Keep in mind that compliance with the SECUREPAY Guidelines requirements on SCA does not necessarily mean compliance with the PSD2 requirements.
2. When to apply SCA?
Art. 97 (1) PSD2 provides for a broad range of scenarios in which PSPs will have to implement SCA. Implementation of SCA will be mandatory for:
- Any online access to a payment account (Art. 97 (1) (a) PSD2);
- Any initiation of an electronic payment transaction (Art. 97 (1) (b) PSD2); and
- Any action, through remote channel, which may imply a risk of payment fraud or other abuse (Art. 97 (1) (c) PSD2).
On December 8, 2015 the EBA has issued a “Discussion Paper on future Draft Regulatory Technical Standards on strong customer authentication and secure communication under the revised Payment Services Directive (PSD2)” (for details on the Discussion Paper cf. see section 3 below) in which it further specifies its understanding of Art. 97 (1) PSD2. In the Discussion Paper EBA emphasized that it understands “online access to a payment account” (Art. 97 (1) (a) PSD 2) as
“all services where a Payment Service User is using a device (e.g. PC, mobile device, chip card, ATM) to log into the payment account to retrieve information on the payment account.“
EBA also seems to have a very broad understanding of Art. 97 (1) (c) PSD2, as it suggests to clarify that this covers
“all actions intrinsically linked to payment services not covered in the categories (…) above”.
3. Challenges for PSP and a potential way out?
Considering the above list and the above quoted statements of EBA, it is easy to see that SCA will influence a lot of different payment services. The broad scope is particularly obvious if one takes into account that (i) Art. 97 (1) (a) applies completely independently of the actual risk involved in such online access to a payment account and (ii) the EBA also requires SCA for “all actions intrinsically linked to payment services” not covered in Art. 97 (1) (a) and (b). Bearing in mind that SCA in the sense of PSD2 requires the user of an online service (e.g. e-commerce stores) to undergo a rather cumbersome procedure and may often go hand in hand with media disruption, SCA will most likely considerably hinder consumer experience and thus have a negative effect on conversion rates. This presents a major challenge as well for the evolving Fintech industry as for e-commerce businesses.
In addition the European legislator has, in opting to prescribe SCA, declared a specific technical solution as mandatory. Such a regulatory approach is critical for two reasons: First, this will likely have a negative impact on the development of new technologies which may provide for an alternative, possibly even safer, authentication then SCA, since such an alternative authentication mechanism could only be used in addition, but not instead of SCA. Secondly, this may actually make payment services less safe in the long run, as potential fraudsters can focus on circumventing a specific technical approach (SCA in this case).
Finally the definition of SCA (cf. 1 above) may raise certain questions. To name just one: the requirement for independent authentication elements may be problematic if the (mobile) device via which the payment service user accesses his account at the same time contains his credentials (e.g. hardware or software layer) or is used to receive the credential (e.g. via SMS).
Fortunately, the European legislator seems to have been aware of these challenges and Art. 98 PSD2 provides a possible solution. Pursuant to Art 98 (1) (b) PSD 2 the EBA has been tasked with working out so called Regulatory Technical Standards (“RTS”) setting forth, inter alia, the exact requirements of SCA and exemptions on the obligations to apply SCA pursuant to Art. 97 (1) PSD 2. These requirements and exemptions may, if carefully drafted, mitigate the challenges with regard to consumer convenience and provide for a well-balanced regulatory framework for SCA.
In Part 2 of this short series of articles, we will take a look on the feedback from the market to EBA’s Discussion Paper.