PSD2 – Securely Step into the Open-Bank Universeby Corin Chirigiu
It’s been over a year since PSD2, or European Union’s Payment Services Directive 2, was first released to the open public. This directive, considered by many voices in the banking industry to be the most significant regulation in Europe to affect the banking sector in the last few decades, continues to stir up controversies. However, in practice, its impact has not been huge, quite the opposite. This directive has not yet gone into full effect.
Identity Verification & SCA
For businesses operating in the PSD2 environment, using SCA (Strong Customer Authentication) will be a must to comply with a smart risk-mitigation strategy and to ensure customer data is secure and easily accessible. Under SCA, there are strong rules about securing the information shared by customers.
Because SCA is protecting the end-user and their money, security is of paramount importance. While people expect a high level of security, they also love the convenience and ease of remote transactions. TPPs (third party providers) need to find new ways to offer people the security they seek.
The Importance of Security in the Open-Bank Universe
One of the most important aspects when talking about the issue of access to an ‘open banking world‘ is security, together with all the threads around this topic. We basically need to make sure that we check at least 2 of the 3 key elements of authentication when talking about a TPP that wants access to the system:
- Knowledge: something only the user knows, e.g. a password or a PIN code
- Possession: something only the user possesses, e.g. a mobile phone
- Inherence: something the user is, e.g. the use of a fingerprint or voice recognition
To ensure two of the three key elements listed above are met, the TPP (third party provider) is authenticated via a security mechanism that is OAuth compliant and is backed up by the generation of a single-use QR that can be sent via mail/mobile to the TPP previously registered.
The registration can be done via a lightweight API that checks basic info about the TPP. For example, the TPP is checked if it is accredited to perform any type of banking business inside the EU space. Additionally, the TPP can use pre-registration forms and checks via mobile authentication app to ensure that the user is able to use a certain service.
From this point on, the TPP’s session is controlled and it can be allowed (per the requirements of PSD2) access to the accounts of the registered user.
The world of open banking is upon us – secure your systems – don’t forget your pin! Learn more about how you can get ready for the new financial requirements by exploring our financial services page.