Fraud has been on the rise and account protection in many European countries has relied solely on traditional, overly forgotten password. Some regulators with more visionary security strategies have already been enforcing 2FA (two-factor authentication) to avoid fraud and impersonation and account spoofing in the financial sector. The new Payment Services Directive – PSD2 is meant to better the current state of the European financial markets, adapt to the technological advancements of recent years, and propose up-to-date, common standards across the EU. Keeping up with technology is vital and the new security requirements are focused on the new era of consumer-centric financial products.
PSD2 at a glanceThe PSD2 includes 112 articles and 11 mandates that are examined by the European Banking Association. The regulation impacts all players in the financial sector from payment providers to banks and beyond. The regulations encourage competition, transparency, and innovation in payment services. PSD2 law affects EU consumer access to their banking data in many ways: the provision mandates an open banking approach and higher security through new authentication methods and dynamic linking.
SCA – The demand for increased payment protectionThe latest opinion of the European Banking Authority on the elements of strong customer authentication under PSD2 has brought forth much-needed clarifications to compliant authentication methods for both payment service providers (PSPs) and payment service users (PSUs) (including merchants). The EBA clarifies what constitutes a compliant element in each of the three possible categories of multi-factor authentication: inherence, possession, and knowledge.
The inherence elementRelates to something the user is. EBA explains that devices and software need to have ‘adequate security features’ in place that could, for example, be ‘algorithm specifications, a biometric sensor, or template protection features.’ The inherence factors can be both biological and behavioral biometrics, and the authority lists the following as acceptable:
- keystroke dynamics (identifying a user by the way they type and swipe, sometimes referred to as typing and swiping patterns)
- retina and iris scanning
- fingerprint scanning
- vein recognition
- face and hand geometry
- voice recognition
- the angle at which the PSU holds the device and the PSU’s heart rate