News, Education and Events Decoding Digital Payments & Fraud

News, Education and Events Decoding Digital Payments & Fraud

PSD2 and the Future of Customer Authentication: Knowledge, Possession and Inherence

PSD2 and the Future of Customer Authentication: Knowledge, Possession and Inherence

By Mirko Hüllemann, managing director of Heidelberger Payment GmbH

(Editor’s note: As cross-border assumes an increasingly prominent role in the digital commerce mix of merchants around the world, knowledge of unfamiliar regulatory environments becomes more important. For merchants around the world, Europe, which contains several of the largest e-commerce markets in the world—with the U.K. in a sort of limbo—is a vital region. Changes to the Payment Services Directive starting next year will impact any merchant with plans to sell in Europe and payment services providers that operate there.)

The EU’s first Payment Services Directive was introduced in 2007. Several years ago, the EU decided to revise the PSD to explicitly include online-based payment services. The European Commission enacted the new PSD2 in October 2015. It is expected to enter into force in January 2018. Member states have until then to incorporate the binding requirements of the PSD2 in national law.

Although the Regulatory Technical Standards (RTS)—the final draft of which the European Banking Authority (EBA) is expected to provide at the start of 2017—seem to leave a great deal of freedom in their implementation, the second edition of the Payment Services Directive has unavoidable consequences in the area of customer authentication for payments in online trade. Ideally, this will result in greater convenience and security for end customers, while giving merchants and service providers the opportunity to gain competitive advantages through new services.

Four specific objectives of the PSD2

The general objective of the PSD2 is to make electronic payments in Europe more secure and convenient for consumers. From the perspective of the EU Commission, the directive is also a step towards a digital single market, which intends to benefit consumers and companies as well as contributing to economic growth. The EU Commission highlights four changes implemented by the PSD2:

  1. It will provide stricter security requirements for the execution and processing of electronic payments and the protection of the financial data of consumers.
  2. The EU payments market will be opened for payment initiation service providers and account information service providers.
  3. Consumer rights will be strengthened in various areas, such as the reduction in liability for unauthorized payment transactions and the introduction of an unconditional right to a refund for direct debits in euros.
  4. The calculation of surcharges (such as for the right to pay by card) will be prohibited, irrespective of whether consumers use the respective payment instrument in a shop or online.

Third-party providers and the banking world

One of the more interesting aspects of the new directive from the perspective of a payment service provider (PSP) is the opening up of the banking world, which was previously closed to third-party providers. But, it is not only the payment service providers who benefit from this opening. Banks can reposition themselves by offering new, convenient services for their customers. According to Article 98 of PSD2, the European Banking Authority (EBA) must work together with the European Central Bank (ECB) to define so-called Regulatory Technical Standards for authentication and communication. The EBA will transmit these Regulatory Technical Standards (RTS) to the EU Commission, which will then enact binding requirements.

EBA Regulatory Technical Standards The details behind the make-up of the communication interface is also not regulated by the available final draft of the EBA RTS, as the directive itself demands technical neutrality with respect to possible internet communication standards. However, a few formal requirements are described, such as the use of appropriate encryption for data exchange, the shortest possible communication processes and clear references for the data exchanged. Third-party payment service providers, which now for the first time have access to bank accounts and customer data, are required to comply with specific obligations. They must guarantee the integrity and confidentiality of customer personal security credentials and authentication codes, such as by exclusively processing data in a secure environment pursuant to the ISO 27001 standard for information management security systems.

Greater convenience and new services For  payment service providers, this restricted but direct communication with the banking world opens up the opportunity to offer consumers other services for customer authentication processes in online trade than was previously the case. One possible example: If a customer wants to authenticate themselves using their EC card and chip-TAN in an online payment process, in the future, a payment institute can immediately check this authentication. This makes entirely new instant payment options possible. Ultimately, all participants will benefit from this type of close interaction between PSPs and financial institutions: online retailers, their customers, payment institutions and banks. This is because a bank, which provides secure interfaces for third-party payment service providers, such as in the form of an application programming interface (API), will position itself closer to the customers’ requirements. This establishes the conditions that make payment on the internet easier and more convenient for its customers.

New authentication process: secure and convenient

For certain payment procedures, the revised directive necessitates new customer authentication methods. For instance, an SMS-TAN to a smartphone may no longer be permitted for mobile payment. In Article 97, the PSD2 prescribes strong customer authentication if payers, for example, access their payment accounts online or trigger an electronic payment process. Authentication becomes strong if at least two of three possible categories are involved. These three authentication categories are:

  1. Knowledge: something only the user knows (such as a password).
  2. Ownership: something only the user possesses (such as a chip card).
  3. Inherence: something the user personally or physically has (such as a fingerprint).

The PSD2 requirement for strong customer authentication is satisfied if the authentication procedure combines two of these three independent elements.

Inconvenient 3D Secure – The Federal Financial Supervisory Authority (BaFin) also focused on strong authentication in its “Minimum requirements for the security of internet payments” (MaSI), which it published in November 2015. The intention is to increase the security level, including the applicable procedures operated by credit card companies, such as 3D Secure from VISA or SecureCode from MasterCard. Although, many institutes supplement these procedures with elements such as Push-TANs, smartphone apps or card readers in order to further increase security for card payments on the internet. However, processes such as the existing 3D Secure have one serious disadvantage: they are relatively inconvenient for customers to use. Online retailers are also reluctant to offer them. This is because these processes almost always result in significantly lower conversion rates. The disadvantage for a retailer that refuses to use these kinds of strong customer authentication procedures is that it bears the entire financial risk of any chargebacks. In the future, in Europe, the PSD2 will ensure that an online card payment is impossible without strong authentication.

Even strong authentication will become convenient – Overall, PSD2 and the mandatory strong customer authentication are intended to increase the security level. Fraud using stolen data will become more difficult if new processes utilize the categories of knowledge, possession and inherence to implement a strong two-factor authentication. For instance, quick methods such as a simple iris scan or video authentication using the customer’s smartphone are conceivable. The PSD2 does not set any limits to the possible combinations. It is the hope of payment service providers as well as retailers that new processes will minimize the number of fraud attempts and subsequent chargebacks. And, from a customer perspective, the new processes should result in greater convenience compared to inconvenient methods such as 3D Secure.

Who will implement the PSD2? – The question of who will drive the implementation of the PSD2 and who ultimately is responsible remains. Certainly, the directive calls on banks to establish appropriate secure and available communication interfaces, but many third-party payment providers will also have to invest in their infrastructure to implement the required security level on their side. The current RTS draft therefore provides for the provision of a test function for the interface so that third-party providers can trial the interaction with their own applications. The EBA’s Regulatory Technical Standards, however, provide very little in the way of detail on the technical design. And, even if the EU Commission was to accept the RTS draft in the spring of 2017, it will only enter into force 18 months later in accordance with the PSD2 Directive. However, as the RTS for the PSD2 are expected to be enacted as an EU Regulation, it would then be directly applicable in all member states without any further national implementation.


The PSD2 opens up new opportunities, and not just from the perspective of payment service providers. The new European Directive promises strong customer authentication, which increases security against fraud and simplifies e-commerce transactions. Market participants will be able to use new strong authentication procedures to offer secure and convenient payment options to end customers for online purchases. This results in the possibility of competitive advantages for all participants. It is now time to take a close look at the PSD2, adapt to the new requirements and take advantage of the resulting opportunities.

Mirko Hüllemann is managing director of Heidelberger Payment GmbH. heidelpay is a leading payment institution for online payment methods authorized and regulated by BaFin. With more than 200 national and international payment methods heidelpay enables online retailer to accept payments all over the world.