WTF does PSD2 say about 2FA? 2

Following on from my post yesterday about Two Factor Authentication (2FA), i was curious to see what the upcoming PSD2 Regulation had to say about 2FA. So lets get straight to it….

What is PSD2?

PSD2 is the EU revised Payments Services Directive. Check out:

What does PSD2 say about 2FA?

The PSD2 directive refers to “strong customer authentication” 8 times, and its fair to say that strong customer authentication is at the heart of the technical security standards enabling payment services in Europe

Okay, so what is Strong Customer Authentication?

Article 4 of the PSD2 (Directive (EU) 2015/2366) goes through the definitions. It defines “Strong Customer Authentication” as authentication based on the use of two or more elements categorised as:

  • Knowledge – something only the user knows
  • Possession – something only the user possesses
  • Inherence – something the user is

Each are independent, so the breach of one does not compromise the reliability of the others.

Liability – Article 74

States if the:

  • Payments service provider of the Payer does not require multi-factor authentication, the payer will not incur any financial losses
  • Payee or payment service provider of the payee do not accept multi-factor authentication, then they need to refund any losses to the payers payment service provider

Right of Recourse –  Article 92

In short if any payment service providers fail to provide strong customer authentication they should compensate the other payment service providers where:

  • Unauthorised payments are made
  • Non-execution, defective or late execution of payment transactions are made

Thanks for stopping by – Take a look around…!!

Authentication – Article 97

Countries will need to ensure that payment service providers implement strong customer authentication where the payer:

  • Accesses the payment account online
  • Initiates an electronic payment
  • Carries out any action through a remote channel which may result in the risk of payment fraud

Hope that helps – See Directive (EU) 2015/2366 for full details!

2 thoughts on “WTF does PSD2 say about 2FA?

  1. Pingback: 20 Insightful Reasons Driving Changes in UK Payments

  2. Pingback: WTF is RTS, SCA and CSC WRT PSD2? [EPC Infographic]

Leave a Reply




This site uses Akismet to reduce spam. Learn how your comment data is processed.