The European Banking Authority (EBA) has published its ‘final’ draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and secure communication under PSD2. PSD2 and, particularly, the SCA aspect can dramatically change the payments sector and the broader banking market. It has been the subject of heated discussions and aggressive lobbying.
Therefore, the market has been waiting to view and digest the finalized standards with bated breath. The final RTS clarifies several ambiguities in the draft version and covers a great deal of ground. However, like a Christopher Nolan movie, it still leaves you hanging with unanswered questions at the end.
With the document standing at more than 150 pages, it can be difficult to identify the major points and key changes. To help, here’s a distillation of the paper, covering 10 points we believe the market needs to heed:
The RTS does not provide definitions of the interfaces needed. Luckily, some industry groups (e.g., Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. Of course, it’s up to the banks to define their interfaces, but at least they will have some de-facto standards on which to base them on.2.
Rationale 32 says that screen scraping will no longer be allowed, but something that looks a lot like screen scraping is still allowed. TPPs using this interface must digitally sign the messages to identify themselves, which is at least a step forward; however, other security holes associated with screen-scraping remain. If a bank provides a dedicated (API) interface, TPPs must use it.
It is up to the bank to authenticate their customer. Recital 14 now says that PIS Providers have the right to rely on the authentication procedures provided by the bank; there is no right in the opposite direction. Therefore, PISPs (payments initiative service providers) must pass control to the bank to authenticate the customer – the PISP can’t apply its own authentication and then tell the bank just to do it.
Article 4.1 says that The authentication code shall be accepted only once. This is fine for single payment initiation, but the RTS allows TPPs to initiate a series of payments and retrieve account information, with SCA applied only the first time. Presumably, the original authorization code must be presented for all subsequent accesses, but this is not compatible with only one provision in 4.1.
The authentication code has to be dynamically linked to the transaction details for payment transactions. There’s a possible gap because the amount and payee are dynamically linked, but not the payment reference. In cases where the reference determines the beneficiary, such as credit card payments, this could become a security vulnerability.
This is the area of the RTS that has changed most and has become more practical. Changes include:
Whereas the previous draft mandated real-time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high-risk transactions being blocked for suspected fraud and low-risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures.
The final draft still says that ASPSPs (account servicing payment service providers), effectively banks, must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, provided that this information does not include the display of sensitive payment data. Sensitive is still not defined, leaving it to the bank to decide what to redact.
The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (or qualified certificates for electronic seals or website authentication, as the regulation would have it) issued under Regulation 910/2014, aka eIDAS. Given the extended timeline for enforcement of the RTS – November 2018 being the earliest date, with serious discussion of April 2019 – there is still time for organizations to step up and put the required infrastructure in place to move eIDAS from dream to reality.
Unless a card transaction falls under one of the exemptions, it must go through SCA. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves possession, which along with knowledge satisfies the ‘two-factor’ requirement. It looks like 3D-Secure 2.0 will be sufficient to allow SCA exemptions to be applied, but if the transaction is not exempt, it’s up to the issuer to drive the SCA process.
The previous draft specified that multi-purpose devices (mobile phones and the like) used a Trusted Execution Environment (TEE) for security. TEE is a well-defined, tried, and tested standard, but it seems the EBA has caved in to pressure from organizations lobbying for non-standard (and in some cases, less secure) solutions. The RTS now mandates a ‘Secure Execution Environment,’ which has no current industry definition, so mobile security effectively becomes a free for all again. Caveat emptor!
The RTS has yet to be adopted by the European Commission, so there is still an opportunity for lobbying by member states, industry groups, and organizations. Be that as it may, it’s clear that no further significant clarifications will be forthcoming from the EBA. So it’s now up to banks, TPPs, and other payment service providers to get on with implementation, guided by national authorities, industry groups, compliance officers, and technology experts. The access to account services specified in PSD2 Articles 65-67 have to be available from January 2018, and even though the security and communications standards in the RTS do not become mandatory until the end of the transitional period, there’s sufficient clarity to start moving in that direction before the mandate.
To learn about Prove’s identity solutions and how to accelerate revenue while mitigating fraud, schedule a demo today.
Join over 1,000 businesses that rely on Prove across multiple industries, including banking, FinTech, healthcare, insurance, and e-commerce. Contact us today.
Contact us to learn how leading companies are using Prove Pre-Fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.
Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.
Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.
Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.