Strong Customer Authentification under PSD2 and SecuRe Pay Internet

Information about
published on

Both, EU Commission and ECB are particularly engaged to make internet payments more secure. The ECB formed a forum of European central banks and supervisory authorities, called SecuRe Pay, to discuss and eventually agree on a set of rules for the enhancing of security of internet payments, one of the most important of such rules being the strong customer authentification when making internet payments or accessing payment data. The rules were finally issued as recommendations of the ECB in January 2014. The EU Commission included in July 2014 the same basic rule on strong customer authentification within its proposal for a Second Payment Services Directive (PSD2).

Art 87 of the Draft-PSD2

Under the draft for PSD2 a strong customer authentication should be applied if a payer initiates an electronic payment. The Draft-PSD2 does not define the term “electronic payment”. Whereas Recital 2 differentiates between “electronic” and “mobile” payment, Article 87 does not make such distinction, thus appearing to encompass both. Following a first reading, no changes to Article 87 were proposed by the EU Parliament. “Strong customer authentication” is defined under the Draft-PSD2 as a procedure to verify the validity of a payment instrument based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confi-dentiality of the authentication data. The Draft-PSD2 does not provide further rules for the strong authentification methods, but creates a competence for the EBA to define exemptions / alternative methods for authentification.
It is expected that PSD2 might enter into force in spring 2015, which will trigger a two year peri-od in which member states must transform the directive into national law. Given the concept of full harmonisation of PSD2 (also PSD1), the member states may in their transformation act not deviate from the provisions of the directive.

SecuRe Pay Internet Recommendations

The SecuRe Pay Internet Recommendations apply to internet payments. A number of transactions are exempted, including brokerage, instruction by post, mobile, TPP payments, certain anonymous prepaid card payments and clearing & settlement. The definition for strong customer authentication contained in the Recommendations is almost identical to that in Draft-PSD2; however, the Recommendations provide for a much more detailed additional regulation. For example, they clearly outline which PSP is responsible: as such, the PSP issuing payment instruments must conduct the strong authentication and provide cards that are enabled for strong authentication; the acquiring PSP must enable strong authentication and must oblige the merchant to maintain a solution which enables strong authentication; card schemes must adapt liability rules accordingly.
Additional requirements include that, firstly, two elements for authentication from two different categories are used, secondly, that they must be mutually independent, and, thirdly, that one element must either be non-reusable / non-replicable etc. or must be an inherence element.

PushTAN as one element of a strong customer authentification method

PushTAN could be an example for strong customer authentication under the Recommendations. It is a One Time Password (OTP) which would be non-reusable / non-replicable. It would contain an element of possession (i.e. the TAN generating device).
PSPs would have to ensure certain security standards. They must procure that the PushTAN and the generating procedures (cryptographic keys, software, key for digital signatures) cannot be stolen. The second authentication element must be independent of the first; if a PIN is used to generate the TAN, further procedures must be used. The elements must be certified by a national authority or experts and must have survived penetration and vulnerability testing. TANs must be generated via secure devices and procedures, be based on publicly available and acknowledged standards and be secured between generation and usage. Finally, payment device and TAN generating device must be independent; it is unclear whether separate channels on the same device will suffice.
Next to the TAN, a second authentification element is required. This element would have to stem from the knowledge (e.g. a PIN) or from the inherence category.

Alternative Methods

Under the Recommendations, PSPs can consider adopting alternative customer authentication measures. The Recommendations explicitly provide for some alternative methods. However, the Recommendations follow the principle of “comply or explain/justify”. PSPs are therefore allowed to deviate from the Recommendations, if they are able to explain the equivalence of the alternative method to their national supervisory authority.
The Recommendations provide for the following alternative methods which may also serve as an example for other alternatives: For credit transfer, e-mandate and e-money transaction over the internet, such alternative measures can be adopted for outgoing payments to trusted beneficiaries included in a previously established white list for that customer, transactions between two accounts of the same customer held at the same PSP, transfers within the same PSP justified by a transaction risk analysis, and low-value payments within the meaning of the PSD.
When using these alternative measures, the Recommendations set additional requirements including a documented security evaluation (made or procured by PSP) of the alternative method, a strong authentication for the modification of the white list, and a transaction risk analysis for the third alternative, e.g. low risk payments against predefined categories or a defined total value / total number for successive low value payments.

Recommendations vs. PSD2

The final version of the Recommendations was published in January 2014, representing the beginning of the implementation period. The Recommendations state that they will enter into force on 1 February 2015. However, the Recommendations are not a statute but a recommendation by the ECB. In other words, they do not create binding law. On the British FCA has announced to “wait until EBA issues guidance” before implementing the Recommendations. In relation to Art 87 PSD2, the rules of the EBA to be issued thereunder and the national transformation laws, the theory on legal sources provides that these will take precedence over the Recommendations.

other articles by Categories ,