Following on from my post yesterday about Two Factor Authentication (2FA), i was curious to see what the upcoming PSD2 Regulation had to say about 2FA. So lets get straight to it….
What is PSD2?
PSD2 is the EU revised Payments Services Directive. Check out:
- All of the juicy and official European Parliament and European Council PSD2 blurb as of 25th November 2015 within Directive (EU) 2015/2366
- My simpler PSD2 overview – 5 Things You Need to Know about PSD2
What does PSD2 say about 2FA?
The PSD2 directive refers to “strong customer authentication” 8 times, and its fair to say that strong customer authentication is at the heart of the technical security standards enabling payment services in Europe
Okay, so what is Strong Customer Authentication?
Article 4 of the PSD2 (Directive (EU) 2015/2366) goes through the definitions. It defines “Strong Customer Authentication” as authentication based on the use of two or more elements categorised as:
- Knowledge – something only the user knows
- Possession – something only the user possesses
- Inherence – something the user is
Each are independent, so the breach of one does not compromise the reliability of the others.
Liability – Article 74
States if the:
- Payments service provider of the Payer does not require multi-factor authentication, the payer will not incur any financial losses
- Payee or payment service provider of the payee do not accept multi-factor authentication, then they need to refund any losses to the payers payment service provider
Right of Recourse – Article 92
In short if any payment service providers fail to provide strong customer authentication they should compensate the other payment service providers where:
- Unauthorised payments are made
- Non-execution, defective or late execution of payment transactions are made
Authentication – Article 97
Countries will need to ensure that payment service providers implement strong customer authentication where the payer:
- Accesses the payment account online
- Initiates an electronic payment
- Carries out any action through a remote channel which may result in the risk of payment fraud
Hope that helps – See Directive (EU) 2015/2366 for full details!