113 recitals and Brexit ain’t one of them – A PSD2 Survival Guide

Did you know the Payment Services Directive 2 (PSD2) directive (Directive2015/2366/EU) starts out with 113 introductory recitals?  You can check them out for yourself.

It includes such gems as:

#29: “‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalised security credentials”

 #30: “‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”

#72: “the payment service provider is to prove that the payment transaction was authenticated, accurately recorded, entered in the accounts and not affected by a technical breakdown or some other deficiency of the service provided by the payment service provider.”

And even; #100: “competent authorities are granted the necessary power, including the power to impose penalties, where the payment service provider does not comply with the rights and obligations laid down in this Directive, in particular if there is a risk of re-offending or another concern for collective consumer interests.”

The driving force behind PSD2, which is focused on governing electronic and non-cash payments, is a drive for Strong Customer Authentication (SCA) – a process that makes online payments more secure and reduces fraud while increasing authorization rates. 

3D Secure 2 (3DS2) provides an easy way to merchants to implement PSD2 SCA compliant flows when they make an online purchase. This allows the merchant to “authenticate” both the customer’s identity and that they are the valid holder of the credit card they’re using to complete the purchase

Because of this, merchants need to build additional authentication capabilities into their checkout flow in order to continue to process transactions once PSD2 goes into effect. And that date is coming fast. PSD2 was previously slated to start this month, September 2019, but has been pushed back to early 2020 to accommodate unprepared service providers – and likely – to get Brexit in the rear view mirror.

It’s a foregone conclusion that PSD2 is going to start impacting merchants very soon.  The questions now revolve around how many merchants will suffer, how seriously and what will happen to UK merchants once card issuers start declining payments that require SCA but which have not been authenticated via 3DS.

Feeling the pressure?  Here are three steps to take in Q4 2019 to be PSD2 ready in 2020.

Merchants need to simplify or build

Well the good news is that if you are able to operate on a major payment service provider like PayPal or Stripe, you are going to be compliant, as they already put in the engineering effort. The bad news is that most merchants with significant transaction volumes are not using those payment service providers (PSPs) for their full checkout process.  

Those merchants need to build authentication into your checkout flow. Whether you want to retain control over the checkout experience directly, or you use a different PSP, you’ll have to implement 3D Secure 2.0 into your payment flow yourself. But once you do, you’ll be compliant.

Banks need to capture the PSD2 disruption and turn it to their advantage

While PSD2 is ostensibly about authentication, it also provides a major challenge to the banking industry. Banks are now required to provide (non-bank) PSPs with direct connectivity to customer account data. While this seems to be a major step towards commoditization in the EU banking sector, it also opens potentially lucrative opportunities for banks to monetize insights from their proprietary data sets.  

A recent report from McKinsey suggest that fast moving banks “could retain their role as trusted financial anchor, as customers would not find it attractive to provide third parties access to their data or accounts.”

Banks that can provide a technology platform and SCA services to merchants and even other less sophisticated banks can stand out in the opportunities that drive in a post PSD2 world.

Merchants and Banks can accelerate their SCA compliance with FIDO

It may come as a surprise, but there is an easy button for PSD2 compliance. It’s called FIDO – the Fast Identity Online. FIDO is not a company, but an open industry standard for SCA compliance.

FIDO Authentication is available to any organization to implement freely, and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators that meet the SCA requirements of PSD2. The FIDO architecture offers a true “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements.

With asymmetric cryptography, biometrics, and cryptographic privacy, the result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience that fulfills both merchant and banking needs for PSD2 SCA.

When, and where to turn for solutions?

PSD2 is on a 5+ year odyssey of bringing modern consumer authentication strategies and protections to European consumers. Delayed twice already, it’s unlikely to be delayed further. Banks and merchants who have not made appropriate investments need to move with precision to ensure they are compliant and not subject to fines.  

Fortunately, SCA  solutions can be tested and deployed in a timely manner at a reasonable price. Nok Nok Labs, a founder of the FIDO Alliance and holder of more than 100 patents in the space, provides a ready-to-deploy authentication system that delivers SCA compliance today. We look forward to sharing our process for rapid testing and deployment so you can reach your PSD2 objectives.