PSD2 what is it?
PSD2, or the Payment Services Directive, is a new European directive that comes into force on September 14, 2019. It was created with the aim of improving the security of online payments and access to account information. As such, this directive imposes new obligations on banks and other payment service providers(third-party PSPs) such as account aggregators and payment initiators.
It covers 3 major topics:
- Strong authentication for account consultation and sensitive transactions;
- Secure communication between banks and third-party PSPs: banks will have to set up a secure system for sharing their customers' payment information with PSPs;
- Strengthening consumer rights: immediate reimbursement of disputed transactions, ban on overcharging, etc.
What is strong authentication?
One of the major aspects of PSD2 is the introduction of strong authentication for account consultation and electronic payment transactions.
It aims to make electronic transactions more secure by strengthening verification of the user's digital identity.
Authentication is considered strong if it results from the combination of at least two of the following three authentication factors:
- Something you own : smartphone, SIM card, physical key, etc ;
- Something you know : password, secret code, etc;
- A personal characteristic: fingerprint, facial recognition, voice recognition, etc.
Customers must use a strong authentication method to make online payments, or for any other online operations involving a risk of fraud (such as changing a telephone number, for example).
This double authentication will be required to connect to the personal online banking space, and will have to be updated every 90 days.
However, there are exceptions to strong authentication, in particular for :
- Low-value transactions (under €30 or €50 for contactless payment);
- Transactions considered low risk after risk analysis by the bank;
- Regular transactions of the same amount and to the same beneficiary from the 2nd and subsequent transactions;
- Transfers between two accounts held by the same account holder within the bank;
- Transfers for beneficiaries on a white list of " trusted beneficiaries ".
What are the consequences of this change?
One of the major aspects of PSD2 is the introduction of strong authentication for account consultation and electronic payment transactions.
It aims to make electronic transactions more secure by strengthening verification of the user's digital identity.
Authentication is considered strong if it results from the combination of at least two of the following three authentication factors:
- Something you own : smartphone, SIM card, physical key, etc ;
- Something you know : password, secret code, etc;
- A personal characteristic: fingerprint, facial recognition, voice recognition, etc.
Customers must use a strong authentication method to make online payments, or for any other online operations involving a risk of fraud (such as changing a telephone number, for example).
This double authentication will be required to connect to the personal online banking space, and will have to be updated every 90 days.
However, there are exceptions to strong authentication, in particular for :
- Low-value transactions (under €30 or €50 for contactless payment);
- Transactions considered low risk after risk analysis by the bank;
- Regular transactions of the same amount and to the same beneficiary from the 2nd and subsequent transactions;
- Transfers between two accounts held by the same account holder within the bank;
- Transfers for beneficiaries on a white list of " trusted beneficiaries ".
How to choose the right complementary authentication method for customers?
Generally, the customer service or marketing department carries out a survey and establishes the personae of its various customers. By identifying their problems, banks are better able to offer each type of customer the authentication method best suited to their constraints.
Bank advisors and customer service staff therefore have a vital role to play. On the one hand, they must inform and raise awareness among customers during the migration to strong authentication, and on the other, they are the point of entry for identifying any problems with customers.
Customers are therefore gradually migrated to new strong authentication solutions, provided by their bank in advance thanks to their contact person (usually the advisor).
How does strong authentication by application?
To replace SMS authentication with mobile banking application authentication, customers will need to register their phone and link its number to their bank account.
Upon registration, the customer's smartphone will be linked to his or her bank account. The customer will then be asked to define a security code to access the online banking area.
Do you have a similar problem, or would you like to set up a strong authentication system? Contact us !
Article written by one of our consultants.
