Authentication and communication between payment service providers
The long-awaited draft regulatory technical standards (RTS) to PSD2 have just been published
Legal Alert (19/2016)
The requirements on strong authentication and common and secure open communication are beginning to take shape. On 12 August 2016, the European Banking Authority (EBA) published draft regulatory technical standards (RTS), which set out more detailed provisions of PSD2, as authorized under the Payment Services Directive.
The market participants had been looking forward to the draft RTS as the new regulations may have a considerable impact on their operations by imposing new obligations, generating new costs (relating to the preparation of dedicated interfaces) and opening the market to TPP (third-party providers, i.e. entities which offer account information and payment initiation services).
The task undertaken by EBA was not simple. It required balancing directly competing interests, that is:
- ensuring a high level of security on the one hand (which would require the imposition of very detailed regulations at the technology level); and
- the willingness to facilitate the innovation of payment services on the other (which would suggest the construction of fairly general regulations so as to enable the market participants to work out what they consider to be the most appropriate solutions which may be aligned on an ongoing basis with new technologies, thus – new threats).
A new version of strong authentication requirements
The draft RTS set out the key strong authentication requirements in addition to providing a list of exceptions regarding the obligation to perform the said procedure. Initially, EBA has proposed that, for reasons of protecting user security, the RTS list of exceptions be exhaustive, i.e. that payment service providers be unable to decide to make exceptions in circumstances other than the ones specified clearly in the regulations.
Strong authentication is a procedure for verification of the payment service user's identity or the validity of a specific payment instrument used by the payment service provider, based on the use of two or more of the following elements:
- knowledge (something only the user knows);
- ownership (something only the user possesses);
- inherence (something only the user is).
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s), and the procedure itself should guarantee the protection of such data as may be necessary for purposes of the authentication.
As a rule, strong authentication is obligatory where:
- the payer gets access to its payment account online;
- the payer initiates an electronic payment transaction;
- the payer carries out the transaction through a remote channel, which may pose a risk of payment or another fraud.
The proposed exceptions to the strong authentication rule apply to the following circumstances:
- the payer gets access to information concerning their account (or consolidated information on a number accounts) without disclosing any sensitive payment data (unless such access is gained for the first time or more than a month after the date of the last strong authentication);
- the payer initiates a low-value payment at a POS (e.g. at a retailer's), with the proviso that a single payment may not exceed 50 euro;
- the payer initiates a low-value remote payment, with the proviso that a single transfer may not exceed 10 euro;
- the recipient of the payment is on the trusted recipient list (so called white list);
- the transaction is carried out between two accounts held for the same person (or entity) by a single provider.
What is important, payment service providers which guarantee access to accounts will have to enable TPP to rely on their own strong customer authentication procedure.
RTS will apply effective from October 2018 at the earliest. At that time, they will supersede EBA's strong authentication guidance implemented in Poland by the recommendation of the Polish Financial Supervision Authority concerning the security of online payment transactions, dated 17 November 2015.
Open communication standards
Payment service providers will be obliged to ensure secure, two-way communication between the payer's device and the device used for purposes of payment acceptance, e.g. by disabling unauthorized payment or information transfers.
Additionally, all payments and interactions with the user should be traceable, i.e. once they have occurred, it should be possible to get access to information concerning each transaction or interaction step. This is to be achieved through the assignment of a unique ID and a time stamp to the session.
It should be emphasized that a payment service provider maintaining the account will have to make available at least one interface, which will guarantee the security of communication between providers and access to the necessary information (concerning the account or sufficiency of the account balance) to TPP and payment card issuers. The interface should offer a functionality enabling TPP to rely on the authentication carried out by the account provider. To ensure interoperability, it should comply with general market standards, specifically ISO 20022.
A synergy between PSD2 and eIDAS
The account provider should know that it is being contacted by another provider as opposed to the customer itself. Therefore, it has been proposed in the draft regulatory technical standards that identification should be carried out with the use of qualified certificates issued in conformity with the eIDAS Regulation (i.e. Regulation on electronic identification and trust services for electronic transactions in the internal market). Qualified certificates will be issued by authorized entities. However, as EBA has noticed, thus far no entities have applied for the status of qualified trust service providers.