PSD2 dynamic linking

The Payment Services Directive 2, also known as PSD2, is a legislation that regulates payment services and payment service providers across countries of the European Union and the European Economic Area. The principal aim of this directive is to open the banking industry to new players that can provide innovative solutions regarding payment services and simplify online payments and transfers. However, another crucial aspect of this legislation is to address the increased risk of fraud for online bank operations, including transactions and access to the account, by providing new security requirements that demand more secure identity checks when paying online. These regulatory requirements include Strong Customer Authentication, also known as SCA, and Dynamic Linking. Strong Customer Authentication helps to reduce the risk of fraud and make online and numerous offline payments more secure due to multi-factor authentication. In particular, SCA requires all payment service providers to use at least two out of three authentication elements to verify electronic payments. These authentication elements include knowledge, in other words, something that consumer knows, for instance, password, possession, in other words, something that consumer owns, such as a token or smartphone, and inheritance, or something the consumer is, for example, fingerprint or facial recognition. Like SCA, dynamic linking also is intended to increase security against online payment fraud. However, dynamic linking enhances SCA as it specifically aims to link each transaction to its value and the recipient.


PSD2 dynamic linking explained

As already mentioned, dynamic linking is an additional requirement of PSD2 in regard to the security of electronic remote payment transactions. Most well-known examples of these transactions include the instigation of money transfers by consumers through their banking app and card-based payments on the sellers' website. Through dynamic linking, payment service providers can link each of these transactions to its amount or the recipient. This linkage is available due to a single-use authentication code or token generated by payment service providers only for a specific payment value and recipient every time a consumer makes a payment. Payment service providers, through PSD2 dynamic linking, guarantee the safety of every transaction as dynamic linking ensures that the transaction becomes immediately invalid if there are any changes considering the particular payment amount or the particular payee of the transaction. When the amount of the transaction or payee has been altered, a payment service provider must generate the new single-use authentication code or token, as the previous one is no longer invalid and can not be used to complete the transaction. It is crucial to mention that dynamic linking also applies to batch transactions or so-called bulk payments. When payments are made to multiple recipients at once, the authentication code has to be unique and specific to both: the total combined value of all transactions and the distinct amounts for the different payees.


The requirements for dynamic linking

PSD2 also provides specific requirements for dynamic linking that payment service providers must meet. These requirements for dynamic linking delivered by PSD2 are listed below.

  1. The paying party must be aware of the amount and payee of the transaction for their authentication prior to the transaction confirmation. This requirement ensures that all transaction data are provided to the consumer at the time of identification. The information must include the amount of payment, the identity of the payee, and the time of transaction. The visible display of all information regarding the transaction on the payment interface in the web browser or mobile application allows consumers to make sure that they authenticate the right payment. Once all information is given before transaction confirmation, the consumer can double-check and authorize payment without doubting their payment security.
  2. As already mentioned, generated authentication code has to be specific to the amount and payee of the payment agreed to by the paying party at the moment of the transaction instigation. This requirement ensures that any code or tokens issued by payment service providers to authenticate a transaction are utilized for that specific transaction only.
  3. Account-holding payment service providers, usually banks, must accept original information considering the specific amount of the transaction and the identity of the recipient agreed to with the paying party only if this information corresponds to the authentication code. This requirement ensures that payment service providers cannot authenticate the transaction when any modifications are made regarding the amount or payee. Also, as multiple codes sent via various channels can all be used to authenticate the transaction, this requirement guarantees that payment service providers use only one of the codes or tokens to initiate a payment depending on what channel a user has access to at the time. Once one of the codes is used to authenticate the transaction, other concurrently available codes for one specific transaction becomes invalid.
  4. Any alterations to one or both of the transaction details required to authenticate the transaction, amount of the payment transaction, or the payee has been modified results in the invalidation of the current authentication code.

Also, it is crucial to mention that all payment service providers must ensure that the amount and payee of the transaction as well as additional information, such as the generation, transmission, and unitization of the authentication code, are accurate throughout all of the phases of the authentication. In addition to that, all payment service providers are required to protect the confidentiality and integrity of the transaction data throughout the authentication process so that outsiders cannot intercept and alter the details of payment which may result in fraud.


The utility of PSD2 dynamic linking explained

Dynamic linking applies only to the initiation of electronic remote payment transactions.  When initiating these transactions through the payment interfaces in the web browser or mobile application, consumers make real-time purchases from merchant sites, such as online shopping or hotel booking sites. Also, these payment interfaces provide the consumer with all the payment details, such as the amount and the identity of the payee, needed for a secure and transparent transaction. Authentication code provided by payment service providers that is unique for specific payment details can include various authentication solutions such as one-time passwords, digital signatures, transaction-specific cryptographic keys, and others. In card-based online payments, the authentication code can also include cryptograms that represent the digital signature of the transaction. It is crucial to mention that the authentication code is unique in regard to payment details, the time, and the device used by the consumer to approve the specific transaction. As the authentication code is displayed, consumers can verify it to authenticate transactions when payment details are correct and disprove it if they notice any transaction value or recipient changes. When a consumer notices alterations regarding payment details without knowledge about changes prior to the initiation of the payment transaction, a new authentication code is required with the correct information displayed to the user. Also, it is crucial to mention that sometimes authentication may fail when there is a delay between payment authentication and subsequent processes, such as authorization or submission, during which an authentication code may expire. If this happens, again another authentication code is necessary to complete the transaction.  Finally, as already mentioned, when multiple codes are generated through many channels, the consumer can verify only one code as other outstanding codes become invalid. In that case, it is crucial for the consumer to make sure to disprove all additional authentication codes to prevent any risks of fraud.


Why does PSD2 dynamic linking matter?

As the specific and unique authentication code is bound to each transaction, dynamic linking decreases the possibility of online fraud. Specifically, dynamic linking aims to prevent man-in-the-middle attacks, which occur when an attacker intercepts a connection established between a paying party and payee. These attackers can alter details of transactions to authorize fraudulent payments or access. As remote payment transactions are initiated over the internet, these transactions are exceptionally susceptible to these attacks when the consumer uses public hotspots to carry out a payment. Dynamic linking prevents man-in-the-middle fraud from happening because it requires the payer to confirm the amount or payee. Also, any changes made by the attacker in transaction details invalidate the code linked to these details. Even in cases when the attacker manages to send altered transaction details to consumers' account-holding financial institutions but shows accurate transaction data on the user's browser or app, dynamic linking prevents confirmation of fraudulent payment. Under PSD2 dynamic linking,  even if the account-holding payment service provider sends transaction information modified by attackers, consumers can avoid fraud by withholding to provide authentication code when intended transaction details do not match with presented ones. To sum up, because dynamic linking enables consumers to be fully aware of the value and the identity of the payee, it decreases the risk of fraud, which leads to higher confidence of consumers in online payment services.


Conclusion about PSD2 dynamic linking

Under PSD2 dynamic linking, fraud becomes much harder to perform, as it provides detailed and advanced requirements for the authentication of the transactions. By linking payment details with authentication code, dynamic linking enhances online payment security making the online shopping experience convenient and secure for both consumers and payment services providers.

Get started now!

No trial period. No credit card. Free forever.

Join our Newsletter

We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.

By providing your email, you accept
Nordigen's Privacy Policy.