The Annual Report of the “Observatory for Payment Card Security” for the financial year 2017 published by Banque de France on Tuesday, 10 July 2018 (in French), intends this year to provide operational insights on PSD2 regulation, which entered into force on 13 January 2018 and the set of RTS rules to be applied by latest on 14 September 2019.
In doing so, it contradicts some ideas commonly received. What needs to be retained?
- A strong authentication system is required when the account holder has an online access to his payment account (for a balance request, a payment initiation, or for transfer beneficiary bank details recording), unlike the practise prevailing today by sending to the user an identifier and a password.
- Within PSD2 meaning, the strong authentication is an authentication with at least two factors, i.e. relying on the use of two elements or more falling into two different categories of authentication factor (possession, knowledge, inherence). For example, what about OTP SMS with 3DS remote payment? According to EBA (European Banking Authority), a 3DS payment generating an OTP SMS covers only the “possession” factor (that of mobile enabling to receive the one-time-use code), the banking card number + validity end + CVV shouldn’t be regarded as a “knowledge” factor since they can be easily recopied. The report outlines such facts by possible combination examples, on a green background the combinations verifying the use of two factors and on an orange background the combinations verifying the use of one single factor:
|Inherence||Entry of a confidential code + biometric asset capture||Biometric asset reading on a terminal recognized as belonging to the payer||Biometric asset reading on a terminal not recognized as belonging to the payer|
|Possession||Card or mobile of the payer + confidential code||Reading of card, keys, mobile,… without entry of confidential code (payment without contact) or entry of an OTP SMS||–|
|Knowledge||Identifier + confidential code||–||–|
- It looks like relevant having a comparative analysis between functionalities proposed to clients by the digital bank site and the data submitted to TPP by the communication interface.The account servicing payment service provider must allow the access to TPP by its interface to all data related to payment accounts available via its user interface (web site, mobile application …). Moreover, data history depth must be similar between the interfaces made available by the bank to its client and the communication interface dedicated to TPP. Regarding payment initiation service, this interface must provide access to all payment transactions proposed by the establishment via its client applications.
- A set of exemption rules with strong authentication enables the account servicing payment service provider to disregard them, in some cases.
|Exemption factors||Upon the initiative of?||Under what conditions?|
|Information service on payment account||PSP of payer||Term smaller than 90 days since the last access|
|Payment without contact||PSP of payer or beneficiary||Up to 50 € / payment or 5 successive transactions or 150 € of cumulative payment|
|Automated transport and parking devices||PSP of payer or beneficiary||–|
|Confidence beneficiary||PSP of payer||Previous creation of a list of confidence beneficiaries|
|Recurrent transactions||PSP of payer or beneficiary||A series of transactions of the same amount and same beneficiary (subscription, rental…)|
|Self-transfer||PSP of payer||Nil|
|Low value payments||PSP of payer or beneficiary||Up to 30 € / payment of 5 successive transactions or 100 € of cumulative payment|
|Secured payment orders protocols||PSP of payer||Nil|
|Transactions with low risk||PSP of payer or beneficiary||According to the fraud rate observed by transaction amount range and according to the payment instrument|
- From an operational point of view, it seems like being difficult to implement each one of the exemption rules by 14 September 2019 at the latest, some of them (risk analysis, confidence beneficiary) having an impact on client paths (top confidence beneficiaries in the digital bank) or requiring an implementation of tools not currently available inside the account servicing payment service provider IT system (risk analysis in real time).
As a conclusion, RTS DSP2 operational insights provided by the annual Report of “Observatory for Payment Card Security” of the Banque de France reinforces the belief that financial institutions will need a strong authentication rules engine natively interfaced to their IT system gateway, upstream from launching the business processing required by third party players.