Using biometrics to meet PSD2’s strong customer authentication mandate

The Second Payment Services Directive (PSD2) looks to improve how Europeans manage their money and reduce cybercrime associated with online shopping. This blog provides an overview of PSD2’s key components with an emphasis on the mandate for strong customer authentication.

What is PSD2 and why is it necessary

PSD2 aims to foster more competition among payment service providers and better protect consumers when they shop online. The European Commission published PSD2 in 2015. PSD2, parts of which went into effect on Jan. 13, 2018, builds on the First Payment Services Directive (PSD1), which went into force in 2009. Since then, the Internet and mobile devices have changed how people manage their finances and shop. PSD2 addresses these developments. PSD2 has two components: open banking and combating cybercrime.

Open banking

While banks have adopted ATMs and mobile apps, overall, it’s an industry that’s been slow to innovate. Open banking may change the banking industry’s static reputation by cultivating new ways for people to make payments, borrow money and manage their finances.

With open banking, banks must share a person’s transactions with qualified third parties if a customer consents. These third parties can include financial technology companies, other banks and some retailers. The data in these transactions shows how people spend, save and borrow money. Opening up this data to third parties should lead to the creation of financial services and banking products that help people better manage their money. What these products will exactly be is still unknown. But some possibilities include apps that let people manage money across multiple bank accounts and services that make applying for a loan easier.

Combat cybercrime

The second part of PSD2 looks to combat cybercrime associated with online shopping, like Card Not Present (CNP) fraud, which has become more prevalent as ecommerce rises, according to European Payments Council. In fact, the European Central Bank calculated that CNP fraud losses in the Single Euro Payments Area totaled 1.32 billion in 2016, a 2.1 percent increase from 2015.

CNP fraud impacts businesses of all sizes, the council noted. Small merchants may not properly implement security tools or patch vulnerabilities, leading to websites that are vulnerable to hackers. Meanwhile, large businesses continue to suffer data breaches that expose sensitive data like credit card information despite significant investments in security tools. “Criminals regularly find weaknesses and vulnerabilities,” the council said.

Securing transactions and reducing fraud with strong customer authentication

To improve consumer security and reduce fraudulent transactions, PSD2 requires customers to use two-factor authentication to approve transactions over a certain financial amount. This mandate, called strong customer authentication (SCA), goes into effect on Sept. 14, 2019.

Two-factor authentication is used when entering a username and password doesn’t provide enough security. Under PSD2, to complete certain transactions a person will have to prove their identity in two out of the three following ways:

  • Knowledge: something only the person knows, like a password or PIN
  • Possession: something only the person has, like a smartphone
  • Inherence: something that’s unique to a person, like fingerprints

While SCA’s mandate for two-factor authentication is meant to improve security, it could impede the speed and convenience of online shopping. Look at how Amazon’s one-click ordering has changed people’s expectations of the checkout process. Transactions may take longer to complete if people have to enter either a password or a PIN to make a purchase.  

If people have negative experiences approving online transactions, they’re likely to abandon their cart. In fact, a Deloitte survey on business sentiment around PSD2 found that delivering a good user experience was the greatest challenge to meeting the SCA requirement. And with only 18 percent of polled organizations keeping their authentication techniques, payment processors may find themselves in the difficult position of balancing SCA compliance with providing customers with frictionless authentication and purchase experiences. 

Companies changing their authentication techniques (43 percent) and evaluating if a change is necessary (40 percent) prefer software and mobile app solutions to hardware ones, which aren’t viewed as customer friendly. Companies considering biometrics plan on using mainstream methods like fingerprint authentication, the survey found.

How biometrics can meet the SCA mandate and offer frictionless transactions

Inherence and possession are the optimal choices for offering customers a convenient and secure way to approve transactions while meeting the SCA mandate. Using a smartphone’s fingerprint reader to approve a purchase is easier and faster than having to remember and type in a password or search text messages for a PIN. People always have their smartphones, fulfilling the possession requirement. And no two people have the same biometrics, fulfilling the inherence requirement.
To address the security concerns around the spoofing biometrics, some biometric authentication platforms now use behavioral biometrics to learn how people handle their smartphones and use this data to validate users. And some biometric authentication platforms, like Veridium, store part of a person’s biometrics on a smartphone and the other portion on a server, making either segment useless without the other.

Have questions about PSD2? Veridium CEO James Stickland and Alasdair Anderson, former executive vice president at Nordea, can answer them after our webinar about the regulation. Make sure to sign up.

How Veridium helps payment processors comply with PSD2

Providing two-factor authentication for SCA

Veridium lets people use their smartphone and biometrics to authenticate. Using a smartphone fulfills the requirement for possession while the use of biometrics meets the requirement for inherence. The biometric options Veridium supports are Apple’s Face ID and, Touch ID, Android’s fingerprint authentication and Veridium’s 4 Fingers TouchlessID.

Meeting PSD2’s Regulatory Technical Standards

To meet the Regulatory Technical Standards (RTS) that require payers to securely authenticate financial transactions, Veridium allows payers to securely authenticate transactions by delivering an end to end secure transaction authentication with independent certificate and biometric matching. To comply with the RTS around protecting the confidentiality and integrity of of the transaction throughout the authentication process, Veridium securely encrypts all communication end-to-end using mutual TLS handshakes (MTLS). And to ensure that customers are aware of the transaction data that they’re authenticating, all transactions approved with Veridium are accompanied with a unique plain language text describing the transaction. The text is signed by the biometric and certificate matching and stored as a record in a secure central database.

Providing dynamic linking

Veridium delivers dynamic linking to ensure non-repudiation of identity and an end-to-end log of each transaction per identity. Each session or transaction is signed by a certificate or key match, along with a biometric match to ensure compliance. This approach protects consumers from man-in-the-middle attacks. All communication is securely handled end to end with MTLS. The full audit trail is stored centrally in a secure database for subsequent interrogation if needed.

PSD2 may change the banking and payment sectors

With PSD2, people may have more and better options around applying for loans, tracking spending and handling finances. Additionally, online fraud may decrease when payment processors implement SCA. But failing to provide two-factor authentication along with a hassle-free checkout experience could lead to a negative buying experience for customers. Using biometric authentication to approve purchases offers the convenience people expect from online shopping while meeting the requirements for SCA.