Strong Customer Authentication with PSD2

Joonatan Henriksson

Joonatan Henriksson

Head of Digital Business

December 28, 2017 at 09:30

The new Payment Service Directive (PSD2) will be implemented in the EU member states legislation in January 2018. The new requirements (i.e. the Regulatory Technical Specifications, RTS) for Strong Customer Authentication (SCA) and Access to payment service user Accounts (XS2A) will be finalized during the following 18 months, after which they also will need to be implemented by payment and account information service providers.

PSD2


New business opportunities from PSD2

As banks need to adhere and open up the required interfaces for payments and bank account information to Trusted Third Parties (TTPs), new FinTech entrants as well as retailers and even B2B service providers can find new business opportunities.

As a typical example, there could be a new FinTech service provider offering a mobile app that gives you a single view to all of your payment accounts and makes suggestions on personal savings plans.

Another example might be where a retailer provides more flexible payment terms based on an analysis of the consumer’s bank account’s transaction history.

Or a taxi company might provide a service where corporate users can pay transportation directly from a shared corporate bank account without a payment card just by digitally authenticating themselves.

The Strong Authentication requirements

One of the key elements in providing these new services is the ability to authenticate the customer reliably, and conveniently. The Strong Customer Authentication requirement in PSD2 states that it needs to consist of two from the three categories of authentication factors.

  1. Something that the user knows
  2. Something that the user has
  3. Something that the user is

There are also few exceptions that can remove the requirement from a two-factor authentication, for example with low value transactions, unattended payment terminals or transactions with lower risk scores.
 
The TTPs are allowed to utilize authentication mechanisms of the Account Servicing Payment Service Provider (ASPSP, i.e. the user's bank), but they can also create their own to gain competitive advantage from user friendly customer authentication.

Gain competitive advantage

Our advice for service providers in general, is to offer various means for the customer to authenticate.

These might include authentication options from Social Media logins to one-time-passwords via email or push notification based mobile authentication.

Some authentication means can work better than others depending on the channel the customer is using. For example, with smart TV apps, the username + password + one-time-code tend to be quite tedious to type in with a TV remote controller.

Related blogs