While the European Central Bank (ECB) brings PSD2 into force, it's easy to lose sight of what PSD2 is about: it's about the customer, the consumer, the mothers, fathers and grandparents. PSD2 is about transparency, flexibility, choice and security. All of these goals, taken together, are what make PSD2 about more than just regulations.
PSD2 embraces Open Banking as the foundation of its new model. Open Banking is about providing consumers more options for payments, transfers and purchases. It requires Account Service Providers (ASPs) to provide API access that allows Third Parties Service Providers (TPSPs) to gain access to consumer account information (with consumer consent of course) so they can provide value-added services. Imagine a TPSP who can provide you with a consolidated view of all of your payment accounts across different banking institutions. This would become your single payment provider. A TPSP could also simply provide you better account and payment management tools to help you manage your money better.
As part of this Open Banking, the ECB has also mandated stricter security requirements for providers' systems communicating with each other (Qualified Web Authentication Certificates), as well as for signing data moved across the Open Banking network (QSeals). Make sure that when you select your certificate provider, they can help you achieve compliance in both of these areas.
With the rise of online payments and CNP fraud, the ECB has ensured that PSD2 includes provisions for Strong Customer Authentication (SCA), which is all about proving the rightful holder for a payment method. In the past, we've relied on credit card numbers with 3 digit verification codes, or banking account numbers protected only by passwords. Recognizing that this is not secure, PSD2 has embraced that value of alternative methods of authentication using Dynamic Linking. What is Dynamic Linking? It is the process of using something only you possess to generate a unique cryptographic signature across elements of the transaction being authorized. This can be achieved using physical tokens with PIN pad entry, mobile tokens with signing capabilities, physical smartcards or their mobile equivalents with digital signing, or even using a special class of One Time Passwords (OTPs) called Dynamically Linked OTPs. Make sure that your SCA provider not only has the breadth of options to cover all of these types of SCA, but also provides you tools for Transaction Risk Analysis – on premises or in the cloud.
So where is the philosophy? The philosophy is embedded in these regulations. The ECB could have chosen to maintain the current status, which works well for traditional banks and credit providers, but has chosen instead to mandate significant changes driven by the philosophy that consumers benefit from choice (Open Banking) and secure and transparent transactions (Strong Customer Authentication).
If you are not a bank or payment provider in the EU, what does this mean to you? PSD2 should serve as a guideline and best practice for how you can provide your customers with superior service and security — all without having to sacrifice the banking experience. You may, in fact, discover that your customers are delighted with the degree of transparency and increased trust you can provide them.
This is a philosophy that has guided us since Day 1 at Entrust Datacard.
Stay up to date on PSD2 by following this insightful PSD2 blog series. Previous articles include: