How to comply with the PSD2 and its regulatory technical standards

The revised Payment Services Directive (PSD2) puts high demands on the financial industry to improve security and open up for third-party providers. The detailed technical rules for the PSD2 have now been released. Bjørn Søland, technical expert at identity and security company Nexus Group, explains what the new rules mean and how to comply with them.

PSD2 will make electronic payments both online and in stores safer, and the directive will allow consumers to access more convenient, cost-efficient and innovative solutions offered by third-party payment services providers. On November 27, 2017, the EU Commission released the long-awaited regulatory technical standards (RTS) for PSD2. The regulatory technical standards are the technical implementation of PSD2, and they are expected to go into effect in September 2019.

“The regulatory technical standards are the result of a long process, through which the EU commission, banks and payment service providers have worked out a ruleset that pretty much reflects common sense security thinking. It’s not perfect, but it is clearly a step in the right direction to reduce cyber risk while increasing the competition in the European banking system,” says Søland.

This is what the regulatory technical standards mean and how to comply with them:

  • Two-factor authentication (2FA) is mandated for nearly all electronic payments.“There are only a few exceptions: low value payments and special use cases, such as parking,” says Søland.
  • So-called screen scraping is no longer allowed.“The term screen scraping refers to a common practice where the user hands over login credentials to a third party, which can then log in on behalf of the user. By doing this, the third party is able to screen scrape all the information presented to the user,” says Søland.

Screen scraping is easy to implement – but problematic for a number of reasons: handing over user credentials to someone else is normally explicitly forbidden in the bank’s agreement with the user, the bank cannot implement client-side malware detection, and there is no way to impose restrictions on what information the third party is allowed to see.

“The way forward goes via properly authenticated server-server communication and well-defined application programming interfaces (APIs). This is good news for everyone in the long run – even existing screen scraping third parties are going to benefit from this,” says Søland.

  • Banks must offer APIs with high operational stability and the same level of authentication they offer their own customers.“According to the regulatory technical standards, it seems clear that the third parties have the right to rely on the bank’s user authentication. This means that banks must offer two-factor authentication not only to protect their own services but also indirectly to protect the third-party services,” says Søland.
  • A frictionless user experience is demanded.“The regulatory technical standards are technology and business-model neutral, and users move quickly between technologies. This means that banks can no longer rely on single-use authentication platforms with limited flexibility. Such platforms do not necessarily support the new business environment out-of-the-box and, more importantly, they do not offer a frictionless user experience,” says Søland.

Instead, he recommends the use of so-called hybrid solutions, which can be used to access web, cloud, and local resources, and that accommodate many different login methods and allow users to move between them.

“One such solution is the Nexus authentication platform Hybrid Access Gateway, which can be used together with the authentication app Nexus Personal Mobile and many other user-friendly login methods,” says Søland.