Since the beginning of 2018, PSD2 or the 2nd Payment Services Directive is national law in all EU member states. Some countries have implemented the new directive early on, such as Germany and the UK, but for some it is still work in progress today.
The Second Payment Services Directive focuses on providing access for non-banking third party providers (TPP) to bank customer account information (after the customer’s approval, of course). You may have heard of “open banking” or “open APIs” – this is the facilitator for PSD2. For the first time, TPPs may access account information, confirm availability of funds and even initiate payment transactions.
In today’s blog post, we will take a closer look at the link between PSD2 and the European eIDAS regulation, the latter of which a number of previous blog posts were focused on: local vs remote signing, sole control of signing keys, eIDAS for banking & financial services.
eIDAS offers a comprehensive toolset for secure cross border identification and transactions, in this case, online financial and payment transactions.
Let’s dive into the concept of Strong Customer Authentication (SCA) a little more. In the context of PSD2, the European Commission will introduce a Delegated Regulation on Regulatory Technical Standards (RTS) by September 2019. It applies to customer-initiated online payments within the European Economic Area and provides a technical framework for secure authentication and communication. SCA requires businesses to work with two independent authentication mechanisms of different nature to execute a customer’s payment transaction. This is of great importance when open banking APIs are in play, where banks must be able to securely identify customers (i.e. process of authentication) for compliance with PSD2. “Something the customer knows / has / is” shall be used in combination. The eID, with its cross-border usage and recognition as governed by the eIDAS regulation, can constitute an authentication mechanism based on what a user has (eID card) and knows (PIN).
The Regulatory Technical Standard also requires qualified certificates for electronic seals and website authentication, as described above and defined by eIDAS.
When opening a bank account, the payment service provider can attach their electronic seal to all documentation provided to the future customer. In the following, the customer’s identity must be verified under the AML4 directive, which can be done by means of a notified eID throughout Europe. For contract signing, in the next process step, a qualified electronic signature may be required when the contract is signed remotely. For account login, SCA is required in certain cases, while it is mandatory for most cases of transaction authorization and payment initiation.
A number of exemptions exist for SCA mechanisms, such as low value transactions, the same recurring payments to the same recipient or payments to trusted beneficiaries listed with the customer’s bank.
Utimaco HSMs support all the above-mentioned trust services required by PSD2 and the related RTS. If you have any questions or require assistance evaluating your security needs, please do not hesitate to reach out to us.
A first version of this article was published on December 07, 2018