The second Payment Service Directive, also known as PSD2, is the revised European legislation on financial services that came into force in January 2018. The main goal of this directive is to boost competition and innovation in the banking industry by demanding banks and other financial institutions to allow third-party financial services providers to access customers' account data if account holders give their explicit consent to do so. However, requiring banks to open up their data channels to other financial service providers, also brings cyber security risks, such as the risk of fraud in case of an unreliable third-party provider or hacked requests via third parties powered by fraudsters to authorize fraudulent payments or access to the consumers' information. To reduce these threats, PSD2 increases the protection of consumers through upgraded security measures. PSD2 cyber security requirements that all financial service providers must be compliant with to deliver a secure banking experience for consumers are listed below.
The most prominent security requirement set out by PSD2, Strong Customer Authentication, better known as SCA, aims to reduce the risk of fraud and make online and numerous offline payments more secure through multi-factor authentication. Under SCA measures of PSD2, authentication must be based on at least two out of three elements to verify online payments. These authentication elements include:
In addition to having at least two elements, each from different categories, to authenticate remote electronic transactions and access to data, PSD2 requires all payment service providers to include an additional requirement known as dynamic linking.
Like SCA, dynamic linking also is intended to increase security against online payment fraud. Dynamic linking enhances SCA as it specifically aims to link each transaction to its value and the recipient. The main principle of dynamic linking is that payment service providers are obligated to provide a single-use authentication code for a specific payment amount and payee every time a consumer makes a payment. Also, it requires the payer to be aware of all transaction details dynamically linked to the authentication code. By ensuring that the transaction becomes immediately invalided if there are any changes considering the specific payment amount or payee dynamic linking specifically counters man-in-the-middle frauds when the attacker alters payment details to grant a fraudulent transaction.
Another requirement of PSD2 is that the two elements used for SCA be independent. Independence requires that, in terms of technology, algorithms, and parameters, the security break of one authentication element does not compromise another. This requirement ensures that fraudsters cannot generate a new authentication code based on information of any other authentication code previously generated.
In addition to the requirements mentioned above, PSD2 demands payment service providers to use transaction monitoring to detect unauthorized and fraudulent payment transactions and produce a transaction risk score, which triggers immediate action based on predefined security rules. Further requirements also include measures considering the confidentiality and integrity of users‘ personalized security credentials that are personalized features provided by the payment service provider to a user for authentication.
We frequently share industry news and Nordigen product updates to our closest friends, fintech innovators and industry experts. Sign up to our newsletter to hear more from us.
By providing your email, you accept