EBA consults on strong customer authentication and common and secure communication under PSD2

Summary of the consultation paper

On 12 August 2016, the EBA issued a consultation paper for strong customer authentication under PSD2; the revised payments framework will be applicable from 13 January 2018. The Regulatory Technical Standard (RTS) complement the requirements of the PSD2 and possess the common objective of ensuring that Payment Service Providers (PSPs) maintain business models which are able to continuously adapt to evolving fraud scenarios. PSPs are therefore required to innovate on an ongoing basis to ensure that they continue enhancing the security of the communication venue through which they accept instructions from their customers.

Particularly, the RTS focus on:

• Ascertaining that PSPs strive to maintain the integrity and confidentiality of the Personalised Security Credentials (PSCs) provided to their customers or payment service users (PSUs).
• Fortifying the procedure and technological elements through which customers authorise or initiate payments. PSPs are required to validate payments by using two or more authentication elements categorised as:

- Knowledge – Something which only the user knows such as a PIN or password.

- Possession – Something which only the user possesses such as a card or authentication code generating device.

- Inherence – Something which the user is such as voice recognition or fingerprint matching.

• Additionally, the procedure dictating the strong customer authentication shall entail mechanisms to prevent, detect and deflect fraudulent attempts for payment transactions prior to the PSPs’ final validation.
  

Why the focus on strong customer authentication and secure communication?

Investment in systems, procedures and controls is arguably a top priority for PSPs in their quest to increase the security of the communication venue with their customers. Innovative methods of customer authentication serve to respond to the ongoing and evolving threats posed by cyber-crimes and fraud in payments. Such attempts, if successful, pose a serious and real operational threat for institutions which process payments. Earlier this year, the Central Bank of Bangladesh was subject to a successful cyber-attack which resulted into the siphoning at least $81mln spread over just a small number of transactions.

The draft RTS makes reference to authentication elements based on fixed characteristics of each and every individual PSU, characterised as biometric technology which would include facial and voice recognition. The introduction of such technology would come at relatively steep costs of implementation however it could also provide for a step forward in terms of security for payment transactions.

On a separate albeit related note, a number of global banks are also exploring the potential that the Blockchain technology might have for the clearing of derivatives contracts and the settlement of payment transactions. It has been argued that Blockchain could help institutions reduce the overall cost and improve the security behind their payment services infrastructure. Although the concept of applying this technology to payment services is still in its embryonic phase, its eventual success among PSPs could trigger a discussion as to whether Blockchain falls within the scope of the current PSD2 or otherwise. 

How can we help?

Gap analysis on policies and procedures. Alignment of payment services policies and procedures to the requirements of the revised PSD2 and EBA regulatory technical standards.

Cyber security testing. The combination of our experience in penetration testing and cyber threat intelligence as well as our collaboration with a specialised team from within the Deloitte network will ensure that your cyber resilience framework is best-in-class.