Industry Briefing Strong authentication of Internet Payments in Europe - the new PSD2

Transcription

1 Industry Briefing Strong authentication of Internet Payments in Europe - the new PSD2

2 Copyright 2015 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.

3 Table of Contents Introduction What happened previously Strong customer authentication under PSD2 Implementation of PSD2 Conclusions Research Sources

4 Introduction On October 8th, the European Parliament adopted the revised Directive on Payment Services, also known as PSD2 (1).The new directive, which is the long awaited successor of the first Payment Services Directive from 2007, aims to harmonize the European retail payments market, which is very much fragmented along national borders, and foster the adoption of innovative, easy-to-use and secure payment schemes. In this article I will provide an overview of the requirements of PSD2 regarding the authentication of consumers involved in a payment, which was a topic generating lots of discussions among members of the European Parliament during the past years. 4

5 What happened previously EBA Upgrade PSD2 is the latest development in a series of European regulatory initiatives aimed at securing Internet payments. These initiatives intend to combat Card-Not-Present (CNP) fraud and increase the confidence of European citizens regarding e-commerce, e-banking and other online activities. In January 2013, the SecuRe Pay forum of the European Central Bank (ECB) published its final recommendations (2) for the security of Internet payments. In February 2014, SecuRe Pay also published an assessment guide (3) to help regulatory authorities apply the ECB s recommendations. In order to provide a more solid legal basis to the ECB s recommendations, in December 2014 the European Banking Authority (EBA) published its final guidelines (4) on the security of Internet payments, which are almost identical to the ECB s recommendations. Since the negotiations for the PSD2 were still ongoing a two-step approach was chosen for the implementation of the EBA guidelines: immediate implementation as of August 1st 2015, followed by an upgrade with the more stringent regulations derived from the PSD2. On May 21st 2015, the EBA published the list of European national authorities that intended to enforce the guidelines. 5

6 Strong customer authentication under PSD2 PSD2 uses the same definition of strong customer authentication as the EBA guidelines, which is based on the traditional concept of two-factor authentication. Strong customer authentication is defined as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data. Under article 97(1) of PSD2, Payment Service Providers (PSPs) must apply strong customer authentication where the payer:(a) accesses its payment account online; (b) initiates an electronic payment transaction; [or] (c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses. So far this is very similar to the EBA guidelines. However, article 97(2) of PSD2 goes a step further for electronic remote payment transactions, which includes all transactions over the Internet. For such transactions, 6

7 Payment Service Providers must apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee. This could also be referred to as strong payment authentication. Strong Authentication Draft regulatory technical standards will be developed by the EBA and submitted to the European Commission that will specify: (a) the requirements of the strong customer authentication; (b) the exemptions to the application of [strong customer authentication]; (c) the requirements with which security measures have to comply [ ] in order to protect the confidentiality and the integrity of the payment service users personalised security credentials; and (d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for implementation of security measures [ ]. 7

8 Implementation of PSD2 Following the European Parliament s vote, PSD2 still needs to be formally adopted by the EU Council of Ministers, which will happen in late Afterwards the Directive will be published in the Official Journal of the EU. EU Member States will then have two years to introduce the necessary changes in their national laws in order to comply with the new rules. Hence PSD2 is expected to come into effect in late PSD2 Guidelines However, a different adoption schedule applies to the requirements regarding strong customer authentication. PSD2 tasks the EBA with the development of technical standards for strong customer authentication. The EBA must submit the draft technical standards to the European Commission not later than 12 months after PSD2 comes into effect. The standards will come into effect 18 months after their adoption by the European Commission. As a consequence, the standards for strong customer authentication will come into effect about 30 months or 2.5 years after PSD2, hence in The EBA guidelines remain applicable as an interim solution, until PSD2 comes into effect. 8

9 Conclusion The arrival of PSD2 is good news for the harmonization of Internet payment security across Europe. Contrary to the EBA guidelines, national regulatory authorities cannot opt out from PSD2, as it will be translated into national law by the EU Member States. This means also countries such as the UK, who opted out from the EBA guidelines, will be subject to PSD2 and its requirements regarding strong customer authentication. Strong customer authentication is an important component of the new retail payment market envisioned by the European legislators. Although strong payment authentication is already common practice in online banking services in many European countries, it may present a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants. Hence e-commerce merchants will need to find secure but also convenient authentication mechanisms. More details about the precise requirements and standards regarding strong customer authentication can be expected in 3 to 4.5 years. Taking into account that Payment Service Providers in most EU Member States already have to comply with the very similar EBA guidelines since August 1st of this year, these additional standards seem to come rather late. Finally, it remains to be seen how PSD2, which heavily focuses on the authentication aspects of payments, will integrate with the EBA guidelines. The security requirements put forth in the EBA guidelines have a broader scope than authentication, and also focus on security requirements such as the need for transaction monitoring and customer education. 9

10 Research Sources (1) (2) recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf (3) (4) urity+of+internet+payments%29_rev1 About Frederik Mennes Frederik heads VASCO s Security Competence Center, working on the security aspects of VASCO s products and infrastructure. He is a regular speaker at industry events and conferences about security technology, and a contributor to the Initiative for Open Authentication (OATH). Besides his role at VASCO, Frederik has supported the Information Security Group (ISG) at Royal Holloway, University of London in various educational roles. He earned an MBA from Vlerick Business School (Belgium), an M.Sc. in Information Security from Royal Holloway, University of London, and an M.Sc. in Computer Science Engineering from KU Leuven, Belgium. Follow Frederik on Twitter (@FMennes) or connect on LinkedIn. About VASCO VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets. Learn more about VASCO at or visit blog.vasco.com 10