You’ve heard of PSD2 and even know what it stands for, but are you fully prepared for its ramifications and opportunities? Developed by the European Banking Association, this latest version of the Payment Services Directive sets out a number of new initiatives and mandates aimed at opening up the banking industry to new entrants. In the UK PSD2 is now in full swing, but many other European countries are still in the midst of implementation, despite the months-ago deadline.
I won’t go into detail on the mechanics of PSD2—you can read hundreds of blogs on that topic. However, one area that lacks nuanced discussion is its mandate that customers perform Strong Customer Authentication (SCA) for various payment transactions. Strong Customer Authentication needs to be performed for any customer-initiated online payments that occur within Europe, this includes bank transfers as well as eCommerce transactions.
Strong Customer Authentication, as defined by PSD2, requires the user to use at least two of the following three factors to prove who they are:
- Something the customer knows, such as a password or PIN.
- Something the customer has, such a mobile phone or hardware token,
- Something the customer is, usually a biometric such as fingerprint or face recognition.
Currently, mobile phones are the most commonly used channel to perform SCA, yet applications running on mobile devices are at risk if not protected properly. Many banks employ a technology called 3D Secure version 2 to perform the authentication. During eCommerce transactions, the cardholder receives an authentication prompt from their card-issuing bank and must authenticate themselves with a PIN, passcode, or a One Time Passcode (OTP), often received as an SMS.
Some organizations (including I’m sorry to say, my personal bank), choose to send an authentication code to the customer’s phone using SMS. I, as the customer, then use that code to authenticate myself. It’s an interesting choice, especially given the fact that there is a well-known security flaw in SS7, the protocol used by telecom companies to route SMS messages and calls. The flaw enables SMS messages to be intercepted without needing access to the phone, thus making SMS based authentication very weak. Metro Bank in the UK fell victim to such an attack—hackers intercepted the authentication codes and many customers had their accounts emptied.
Some companies choose to use a push mechanism to trigger their online banking apps to perform the authentication. This is a better solution than using SMS, but the standards also require banks to provide adequate security in their apps.
Apps need to be developed in such a way that sensitive data and application execution remains protected. The PSD2 specification refers to such protection as a secure execution environment. Apps must be aware of their environment and monitor themselves to detect risks such as malware, a rooted device, and tampered applications.