PSD2 and Open Banking bring speed, flexibility and choice to existing banking functions for consumers — and they will clearly lead to entirely new sets of products and services. While there are some things that simply require compliance (making data available and delivering on SCA, for example), banks looking to capitalize on PSD2 opportunities need to think about how to position themselves in the market to offer a comprehensive solution to their customers. In order to do this, there are three stages of how trusted identities deliver this:
1. Become a Banking “Utility"
Focus on providing liquidity, credit services and infrastructure. Most services would be offered through third parties who "own" the customer relationship. Requires only basic PSD2 compliance.
2. Partnership Model
Develop an advanced API model which allows you to directly provide selected services to consumers — and offer others through third-party partnerships. In this scenario, you could offer enough services to "own" the relationship. This requires compliance, plus monetized access to selected customer data.
3. Comprehensive Offering
Offer consumers a full range of financial services under your brand. This approach may require some private labeling of third-party offerings. But you can clearly "own" the consumer relationship. This requires compliance, open APIs and the development or re-selling of a broad portfolio of services.
Achieve basic compliance — but think bigger.
The foundation for PSD2 enablement and open banking success is trusted identity. Entrust Datacard can show you how to place a strong identity on your customer’s phone that lives within your mobile banking app. Consumers can use this single trusted identity to verify transactions, make online and mobile purchases, move money between accounts, access self-service kiosks, interact with ATMs and more. When consumers rely on the trusted identity you provide, your brand and your identity become the center of the consumer’s expanding financial ecosystem — while ensuring a secure experience.
Our solutions allow you to extend trusted identity to more than your customers. Every person or machine that’s part of your digital ecosystem requires a trusted identity to ensure both security and great customer experiences. This means issuing trusted identities to employees, apps, networks and, eventually, devices connected to an Internet of Things (IoT) ecosystem.
Strong Customer Authentication (SCA)
A key PSD2 requirement is Strong Customer Authentication (SCA). Because usernames and passwords don't provide sufficient security, the new directive calls for two-factor authentication for all electronic transactions. Entrust Datacard authentication solutions help you enable your PSD2 requirements - and they ensure a transparent and frictionless user experience. Below are the key elements required to create strong customer authentication.
Two-Factor Authentication: The use of two independent authentication methods is mandated. If one of the methods involves a smart phone or other mobile device, security measures are required to ensure that the device being used has not been compromised. Entrust Datacard offers the widest range of authenticators, so you can offer your customers the one that that works best for them. Included in our solutions are mobile and adaptive authentication options that ensure truly frictionless experiences for your customers.
Transaction Monitoring & Fraud Prevention: PSD2 mentions the need for transaction monitoring software that analyzes risk as transactions are taking place. Entrust Datacard fraud prevention solutions — including Entrust™ Transaction Guard — enables fraud prevention tools with adaptive capabilities. Factors such as payment amounts, known fraud scenarios, payer/payee locations and device reputation are used to allow, challenge or stop transactions.
Dynamic Linking: Hackers have learned to insert themselves into the middle of legitimate electronic transactions after they’ve been initiated — which has created the need for dynamic linking. Entrust Datacard solutions link authentication codes to specific transaction amounts and payees. If either the amount or the payee changes during a transaction, a new code is issued. Our solution — which can feature OTP codes, mobile push notifications or other authenticators — also provides a highly secure channel for transactions to be conducted.
Runtime Application Self-Protection (RASP): The proliferation of mobile payment apps creates new opportunities for hackers. RASP is a suggested protocol for detecting anomalous app behavior and blocking the app from executing any further operations. Our RASP solution hardens the mobile app code and allows it to defend itself at runtime. This further enables you to also safeguard against hacking and reverse engineering. Also, with our Entrust IdentityGuard client-side software, the apps or SDKS act only on requests from the server. If a fraudulent entity tries to fool the app into signing a transaction, the transaction verification fails.
Secure Communication (SC)
Another key PSD2 requirement is Secure Communication (SC). PSD2 Qualified Website Authentication Certificates (QWACs) form the highest level of authentication and will be required to secure the Open Banking APIs used for transferring private data when making a payment or transferring money. They are meant to bring greater transparency, accountability and authentication to users in the EU marketplace.
Below are the key elements required in PSD2 QWACs:
QWACs will be required to secure the open APIs used in the open banking framework provided in the PSD2 requirements. PSD2 QWACs provide encryption security and authentication for the following transaction types:
In an effort to bring transparency, PSD2 QWACs require the applicant to provide the following information:
Traditional certificate requirements include:
Consider these three pillars — and view our recorded webinar.
PSD2 is the result of a global banking trend that is focused on security, innovation and the creation of consumer-friendly market competition. On the surface it appears to represent a significant step towards commoditization of banking surfaces. But closer examination makes it clear that it is ushering in a new era of opportunity. Complying with security requirements is “table stakes.” Banks that embrace PSD2 as an opportunity to leverage the massive amounts of data they possess, along with their established customer relationships, will likely move towards a future of new offerings and stronger margins. One way to view PSD2 is to think of it as being comprised of three pillars — Transparency, Security and Innovation.
Banks will be required to make valuable data available to third parties who can, in turn, offer consumers better pricing, new products and enhanced service levels. Consumers will have more rights and third parties will be entitled to non-discriminatory pricing — the same offered to a bank’s best customers. Laws regarding these considerations went into effect January 13, 2018.
The democratization of data and the increase in mobile offerings and electronic transactions calls for elevated security, which is covered in the Strong Customer Authentication (SCA) and Secure Communications (SC) criteria. This area is mostly about compliance and is dedicated to protecting the privacy and assets of consumers. Related legislation is likely to be announced in the third quarter of 2018.
This is where banks have an opportunity to grow — and hold two great advantages. First, it will likely take fintechs and other third parties some time to develop, test and deploy offerings to consumers based on the data made available to them by banks. Second, consumers are largely loyal to their bank brands and hesitant to trust someone new with meaningful financial transactions. This means banks are in a strong position to be first to market with innovative offerings they can use to take share and grow revenue. The key to this will be the ability to issue trusted identities to customers that allow for the secure deployment of new mobile and online offerings.
Going beyond Two-Factor Authentication.
Trusted identities need to be at the foundation of your PSD2 strategy in order to enable compliance as well as transform your bank’s services. But will any solution get you where you ultimately want to go?
Identity assurance extends beyond a single authentication end-point, and folds in elements that include establishing trust before a credential is issued and then maintaining trust after authentication occurs. The net result is stronger security, an improved user experience and the ability to extend new services such as digital onboarding. Together, these three elements provide a comprehensive approach to digital trust across all of your banking initiatives.
How do you know people involved in a transaction are who they claim to be? How do you know the devices they’re using haven’t been compromised? Our trusted identity solutions include everything you need for identity issuance, identity proofing and device reputation assurance. We secure the business for you, and provide a secure, frictionless experience for your customers.
Our Intelligent Identity Assurance solutions give you the tools you need to enable secure transactions between trusted parties. This includes trusted network access, website authentication, transaction signing, nonrepudiation services and more.
Hackers have learned to insert themselves in the middle of legitimate transactions after they’ve been initiated and approved. Our solutions allow you to continuously authenticate identities and amounts throughout a transaction. If suspicious activities are detected — such as anomalies in user behavior or changes in amounts — our solutions can challenge or shut down the transaction.
Identity is the foundation of security. Trusted Identity also encompass Secure Communications that provides greater transparency, accountability, and authentication to users in the European Union marketplace.
Establish Trust for Secure Communications.
PSD2 requirements expand upon existing verification requirements for third-party providers requiring them to purchase specialty SSL/TLS certificates known as PSD2 QWACs. These certificates provide the highest level of assurance providing the most robust foundation of trust available for securing sensitive transactions.
Strong encryption coupled with high assurance provide third-party service providers and users a high degree of confidence when transferring sensitive data online. The PSD2 QWACs provided by Entrust Datacard use: RSA Encryption Algorithm, SHA-2 Hashing Algorithm, and a minimum key size of 2048 bits meeting or exceeding the minimum requirements for encrypting online transactions.
Balancing PSD2 Data Sharing Requirements with GDPR Guidelines
These two critical initiatives seem to be at odds. PSD2 advocates for sharing customer data, while GDPR promises severe financial consequences for organizations that violate consumer data privacy regulations. While it seems there will be more direct guidance coming from governing bodies in the future, banks must — for the time being — balance both requirements using their best judgement. This means that banks should avoid a separate or siloed approach to their GDPR and PSD2 implementations. Approach them as a unified initiative and develop a single framework that simultaneously makes customer data available, yet protects that same data from being compromised by hackers. For help with this important balancing act, contact an Entrust Datacard trusted identity expert.
Get downloads, documentation and support for your On-Demand Card Issuance products:
For immediate assistance Entrust Datacard has Customer Care Centers that are available to serve customers in the Americas, EMEA, and Asia Pacific regions.CONTACT SUPPORT
Entrust TransactionGuard works seamlessly with Entrust IdentityGuard to create layered security for diverse users and applications. Detect online fraud without invasive integration with existing online applications and step-up authentication controls only when dictated by elevated risk.