PSD2 – The future of payment security

by | Oct 18, 2021 | Begginers | 0 comments

The second Payment Services Directive is a document that was validated by the European Parliament in 2015, to be applied in practice on January 13, 2018. Following its first version, it aims to modernize the security standards of payment in order to face the new threats that have emerged in recent years. The digital era in which we are evolving has brought about a multitude of new ways of carrying out transactions, particularly digitally. The PSD2 aims to provide the best possible framework for these new forms of payment by proposing a rigorous and appropriate regulatory framework.

PSD2

Source : Dalenys

Opening of financial flows

One of the most revolutionary principles of PSD2 is the so-called Open Banking, which we discussed in more detail in a previous article. The financial flows of individuals and companies were historically handled by traditional banks. Open Banking allows to break this “monopoly” by opening these flows to different and new actors.

These players include:

  • Payment Initiation Providers (PISP): intermediaries that allow users to carry out financial actions without depending on the Mastercard and Visa networks. A transfer order can thus be issued via these intermediary PSIPs.
  • Account Information Service Providers (AISPs): AISPs allow their users to access a management tool that groups all their bank accounts. They will therefore be able to access a global view of their finances, without having to check their accounts individually. This tool is particularly useful for people who have bank accounts at different banks.
  • Neo-banks: a new financial player that aims to compete directly with traditional banks. These mobile and digital banks do not have physical branches, but offer a subscription entirely online and easy to access.

 

Numerous Fintechs have thus appeared following the opening of financial flows, eager to propose their vision of payment. We talked earlier about how Fintechs are revolutionizing international money transfers.

The PSD2 has therefore led to an impressive increase in the number of financial players and, by extension, the services they offer. The next challenge is to ensure that all these new transactions are secure, notably by modernizing the regulatory framework attached to them.

 

 

PSD2: a bulwark for dematerialized payments

As mentioned in the introduction, the field of action targeted as a priority by the PSD2 is that of digital and dematerialized payments. Even if cash still plays a major role in the total number of transactions in Europe, it is clear that new digital payment methods are proliferating.

The PSD2 is the pillar of the new forms of security for digital and dematerialized payments. It introduces a fundamental principle: Strong Authentication. This reinforced authentication replaces another protection tool called 3D Secure. 3D Secure was introduced by the first version of the Payment Services Directive, and has generally served its purpose well.

It consisted in sending a secure code following an online transaction made by a user. After validating their shopping cart and entering their banking information, the customer was redirected to a secure page of their bank. It is on this page that he had to indicate the code which will have been sent to him (generally on his mobile phone, sometimes via email).

 

 

SCHEMA STRONG AUTHENTIFICATION

Source : La Banque Postale

 

3D Secure was a good first defense against online payment fraud, but it is starting to be overtaken by new forms of fraud. Strong Authentication is the legitimate successor of 3D Secure. It consists in having to fill 2 of the 3 factors below to validate a transaction:

  • A biometric element of the user: a scan of his fingerprints, a facial or vocal recognition…
  • A user’s medium: usually their smartphone, but can also be a bank card and any other device they own. 
  • Confidential information: a secret code known only to the user, secret questions…

 

The transition from 3D Secure to Strong Authentication is also supported by the digitalization of financial services. Traditional banks now have complete mobile applications, hosting more and more technologies. For many of them, the possibility to identify oneself via biometric elements is already available. Having to validate a payment via biometrics will therefore not be a problem, as the technology is already integrated into these mobile banking applications.

In concrete terms, the customer will validate his basket on a merchant website. Instead of being redirected to a secure page as was the case for 3D Secure, they will be asked to open their mobile application. One of the first criteria of the Strong Authentication is already met: the support. Once on his mobile application, a request will appear asking the user to identify himself via a biometric element. Two of the factors having been met, the transaction will be validated.

The PSD2 is therefore a complex and dense document. We have only outlined the most important aspects of this directive, which will govern the security of digital payments in the years to come. Influenced by technological advances such as biometrics and the dominance of the smartphone, it will continue to adapt to address new threats to the payment world.

Share This