The PSD2 with Multi-factor Authentication (MFA) brought changes to the payment industry. It defined stronger security specifications for online transactions and necessitated financial institutions to grant permission to Third Party Providers (TPPs) to access consumer banking accounts. However, this could only be done if an account holder has given their consent.
The PSD2 and MFA were enforced to establish adequate and standardised levels of security in the financial service industry. It guarantees that buyers and their money are protected despite which banking service they prefer. Therefore, due to PSD2 Multi-Factor Authentication financial services must adhere to identical standards and statutes which consequently implement a greater overall level of security.
On 14 September 2019 the Second Payment Services Directive (PSD2) took effect. It refined and introduced beneficial regulations to the online payment ecosystem. One of the most significant changes were the updates to Strong Customer Authentication (SCA). SCA is a set of measures that requires the use of at least two authentication elements - knowledge, possession and/or inherence.
Knowledge is something only the user knows - like a pin code. Possession is something that the user has - like a mobile device or a card. Inherence is something the user is - like a fingerprint. Those three elements are independent and in case of a security breach, they do not compromise the consumer's security and the safety of other elements. Therefore, the aforementioned components and their combination facilitate the full protection and confidentiality of the authentication data.
The compound of the three elements is a key in defining PSD2 Multi-factor Authentication (MFA). PSD2’s MFA can be executed by combining the following factors - RFID/NFC Badges,
USB or other physical devices, tokens, certificates, codes generated by smart gadgets apps, codes sent to a phone number or email address, answers to personal security questions, behavioural analysis, fingerprints or facial recognition, retina or iris scanning.
All the consumers who use online banking and payment methods are subject to SCA due to the risk of fraud. SCA and the use of MFA forces users to verify their identity in multiple methods which consequently diminishes the risk levels of fraudulent activity. After the PSD2 and MFA were implemented, it meant that if a payment doesn’t go through additional security measures it should be rejected and the transaction denied.
Before the implementation of MFA, there already was an online security measure called 3D Secure (3DS). Its sole intent was to deploy when there was an apparent risk of fraud and it essentially applied to credit card transactions. In this case, a second window would pop out and request for more details, however, it had minimal configuration and wasn’t user friendly. Later on, it advanced and supported the use of biometrics while browsing on a mobile device. Moreover, the 3DS option enabled sellers to opt-out of the additional verification that increased the payment smoothness for a customer while highly reducing security and leaving a buyer vulnerable.
After the PSD2 and Multi-factor Authentication’s update, the second verification element became mandatory and vendors cannot disobey it.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept