PSD2 Authentication Requirements: The Implementation HurdlesBanks, Merchants, Processors Struggling to Comply With Mandate
Because banks, fintech firms, merchants and payments processors in the European Union have struggled to meet the Sept. 14 deadline for compliance with the new PSD2 "strong customer authentication" requirements for electronic payments, it may take awhile for European consumers to notice authentication changes.
Back in June, the European Banking Authority, an EU regulatory agency, said that "on an exceptional basis" national regulators may be able to provide limited additional time for implementation. Subsequently, regulators in the U.K. announced in August they were delaying enforcement of the authentication requirements by 18 months - but only for online payments within the U.K.
In a statement, the Financial Conduct Authority, a regulator in the U.K., said: "All parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA [strong customer authentication] by 14 March 2021 and the third parties should make every effort to move to API access where available as soon as possible during this period."
Financial experts say countries throughout Europe are delaying enforcement, following the example of the U.K.
Ethan Teng, head of growth at Recurly, a California-based software firm, tweeted that regardless of the status of enforcement efforts, banks and others need to continue preparations for compliance. He provided a country-by-country breakdown of the status of extending the PSD2 deadline, noting that many nations haven't firmed up the length of the delay.
Even though some countries have announced they will be delaying PSD2, 12 countries have made no official announcements. So, you should still be preparing for #PSD2 #SCA by the September 14 deadline. Here's the full list of extensions by EEA country https://t.co/zCA5nEYJJG— Ethan Teng (@ethanteng) September 9, 2019
The European Banking Authority tells Information Security Media Group that later this year, it will provide more information on an enforcement timeline with a goal of "a consistent deadline for the end of the migration plan."
PSD2, the Revised Payment Services Directive for the European Union, is designed to increase pan-European competition and participation in the payments industry, including fintech players, and harmonize consumer protections.
The strong customer authentication provision of the law requires the use of multifactor authentication to help improve security. Carrying out that mandate has proven difficult for a number of reasons, security experts say, including the development and implementation of the necessary APIs to pave the way for data exchange among many players.
The PSD2 provision requires authentication using at least two of the following three factors:
- Something the cardholder "knows," such as a password or PIN;
- Something the cardholder "has," such as a token or mobile phone;
- Something the cardholder "is," such as a fingerprint or voice match.
The Hurdles to Overcome
Security experts say many banks are not ready to comply with the PSD2 strong customer authentication requirement because they face technical and operational challenges as well as budgetary constraints.
"The bottlenecks for banks to comply with the PSD2 standards are the complexity of requirements owing to the competing environments of the third parties, particularly in the context of potential deployment of APIs, identity and security," says Gavin Littlejohn, chairman of the Financial Data and Technology and Association, a global association for financial services companies.
Michael Lynch, chief strategy and product officer at Deep Labs, an IT services firm, says many European banks and payment service providers lack the necessary technologies to meet the authentication requirements.
"The problem is, it requires a deep understanding of technical and security components to understand and design a solution for the requirements. The banks are not geared up to provide a platform for the transaction risk analysis, leveraging data signals and new technologies such as context-aware machine intelligence."
Lynch says that banks preparing to comply with the new mandate need to make multiple investments beyond authentication technologies, such as malware detection and secure communication via encryption.
But one of the most significant challenges, security experts say, is putting in place the necessary APIs to enable authentication transactions with merchants processors and fintech firms.
Littlejohn notes: "The banks, particularly those with older infrastructure, have found it difficult to execute high-quality and fully functional APIs according to the regulatory timetable. At the same time, the regulatory and technical standards have made it difficult to properly distinguish between legally required resources in the API and resources that the fintechs have demanded to make their services fully functional, which could be a bottleneck in meeting the deadline."
U.K.-based Steve Durbin, managing director of the Information Security Forum, says the PSD2 mandate "places an additional burden on banks to share information with a whole range of third-party organizations who may be newcomers to the industry and its regulations."
Steven Murdoch, chief security architect at OneSpan Innovation Center, a security solutions provider, says banks also face resistance from their customers. "Banks have to deal with a lot of unhappy customers if they introduce multifactor authentication," he says, because consumers aren't familiar with the technologies involved.
A recent survey conducted of 442 banks in Germany, Belgium, Finland, Sweden, Spain, Denmark, France, U.K. and Norway by a Swedish Open Banking Platform Tink indicated that close to 50 percent of the banks had not yet complied with the strong customer authentication mandate.
More than 75 percent of merchants in the EU are unaware of the new authentication requirements, and less than 5 percent of merchants are currently using the 3D Secure 2.1 messaging protocol, one of the requirements for offering stronger authentication, according to research from UK Finance, a banking trade group.
Security experts say those involved in electronic payments must take a number of technical steps.
Murdoch says, for example, that dynamic linking is essential, which means there must be a way to trace the payment transaction end-to-end. This is possible through the generation of authentication codes subject to a set of strict security requirements.
Another critical component, Lynch says, is ramping up risk assessment using machine learning to support real-time decisions.
A New Approach to Authentication
Germany's Volkswagen Bank has implemented advanced security technology for mobile transactions to help meet the PSD2 authentication requirement, says Mario Bandau, a project manager at the bank. The bank is using a visual transaction signing solution. It applies a graphical cryptogram made of colored dots to encrypt transaction details, which can only be read by a trusted device.
"The solution helps banks counter account takeovers as well as banking Trojans such as man-in-the-browser attacks by establishing a secure connection between the device and the bank, and this is additional factor of authentication," he says.
In the U.K., regulators will work with industry representatives to track progress toward compliance with the PSD2 authentication mandate, says Jonathan Davidson, executive director of supervision in the retail and authorizations division of the Finance Conduct Authority.
"The FCA will also continue to monitor the extent to which banks and payment service providers are meeting its expectation that they consider the impact of SCA [strong customer authentication] on different groups of consumers, and provide alternative means of authentication where needed," he adds.