How does authentication work under the PSD2?

Authentication under PSD2: man with a credit card and a computer paying online
Monday, November 11, 2019

Extended version in Ku Leuven

Author: Danaja Fabčič Povše (KU Leuven)

The PSD2 (Payment Service Providers 2), adopted in 2015, is a full harmonization instrument, with limited exceptions, aiming to close the regulatory gaps while at the same time providing more legal clarity and ensuring consistent application of the legislative framework across the European Union. Generally, it applies to payment services provided by payment service providers, as laid out in the Annex to the directive. We can safely say that online banking falls under this definition (“execution of payment transactions, including transfers of funds”).

Its article 97 explicitly deals with authentication, stating that strong authentication is required for accessing payment accounts online, initiating electronic payment transactions and carrying out any action through a remote channel which may imply a risk of payment fraud or other abuses. Payment service providers, including banks, must have in place adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials. For electronic remote payment transactions, payment service providers apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.

The notion of Strong Customer Authentication (SCA) was recently further explained in so-called Regulatory Technical Standards (RTS), Commission delegated regulation 2018/389. SCA is described as a procedure (art. 1(a), emphasis added), implying that it is a dynamic rather than static notion. In order to comply with SCA, payment provider must ensure that authentication is based on two or more elements. They are categorised as knowledge, possession and inherence. In other words: in order to access a payment service, identity will be ascertained based on at least two of the following factors - something you know (e.g. a password or a PIN), something you have (e.g. confirmation through a second device – Google already does something similar for accessing Gmail on untrusted devices), or something you are (e.g. biometrics). There are some exceptions to requiring two-step authentication, for example for transactions below 30 EUR.