PSD2 Compliance Requirements: How to Meet Them with Passwordless Authentication

Beyond Identity Blog | Thursday, November 18, 2021

Electronic payments are the way money moves today. As a result, governments have placed a focus on regulation to protect consumers and hold online businesses, financial institutions, and payment service providers accountable to keep customer data safe.

The Payment Services Directive 2.0 (PSD2) is an attempt by the European Union’s (EU) European Banking Authority to address consumer protection and the need for standards in how third-party providers access banking data. The world has changed since the original Payment Services Directive in 2007: online payments are commonplace, and third parties have access to our bank accounts in ways they didn’t nearly two decades ago.

While PSD2 only directly applies to EU member states, those outside wishing to do business within the EU must comply with PSD2. Like the GDPR, which triggered changes worldwide in privacy protections, PSD2 is likely to have a similar effect on the electronic payments industry.

If you're doing any business in the EU, the deadline for compliance passed December 31, 2020. Thus, you must be PSD2 compliant. Here's what you need to know.

What is PSD2?

PSD2 is an amendment to the original Payment Services Directive that established a single payment market in the EU, promoting innovation and efficiency. While the EU updated the directive regularly, it wasn't until 2013 that the European Commission proposed wholesale changes to address technological changes in the payments market, and in 2018 the EU countries codified the changes into law.

At its core, PSD2 deals with two primary business-focused pillars.

Strong Customer Authentication

SCA mandates two authentication factors for all online transactions to 1.) prove that the card used is physically present and 2.) confirm identity. While the CVV number has become a popular method to confirm the presence of the card, this isn't sufficient under PSD2. A PSD2 compliant transaction verifies using at least two of the three following factors: knowledge, something that only the user knows; possession, something only the user possesses; or inherence, a trait only the user has. See the chart below for examples of each type.

 
Knowledge
Possession
Inherence
 
  • Password
  • PIN
  • Challenge questions
  • Passphrase
  • Swipe path
  • Card with dynamic security code
  • Card read by a card reader
  • One-time-code sent to a device
  • Hardware or software token
  • Device bound authentication (software chip, private key)
  • Fingerprint scanning
  • Voice recognition
  • Vein recognition
  • Hand and face geometry
  • Retina/iris scanning
  • Keystroke dynamics
  • Heart rate or body movement patter

Of these, possession and inference offer the strongest security, while knowledge-based factors offer the weakest and are easier to forge. This is why SCA requires two of the three, to prevent the use of knowledge-based methods being used on their own, which provide little additional security benefit.

Open Banking

Third parties are using a consumer's bank account and account details in ways that didn't exist two decades ago: think of services and apps like Mint, Dave, Venmo, and Robinhood. While most financial institutions have not set up roadblocks to these services, some have. PSD2 mandates that financial institutions share this data via an open API with third-party payment service providers.

Who does the PSD2 apply to?

The SCA requirements and open banking efforts are the two portions of the SCA that most affect businesses with payments that begin, travel, or end within the European Economic Area (EEA). Similar to the GDPR, it will require non-EU companies to comply with PSD2 due to its broad reach.

While the law took effect in January 2018, financial institutions initially had until September 2019 to comply with the changes. After several delays (including the COVID-19 pandemic), the EU ultimately gave businesses until December 31, 2020, to comply. The UK also plans to enforce SCA requirements through separate UK-specific legislation, but not until March 2022.

While it is primarily directed at payment service providers and financial institutions, it also affects those using and accepting those payments, such as eCommerce websites. Also, PSD2 applies to any service or business using customer or payment data or providing services that aid in the payment process.

Companies that aren't PSD2 compliant risk significant penalties, with individual EU countries able to fine organizations for non-compliance. However, the directive to banks to decline any non-compliant transaction after the December 31, 2020, deadline leaves companies doing business in the EEA with no other choice but to comply.

EU regulators expect the payments industry to follow PSD2 guidelines for every one-time online transaction, except in the following circumstances:

  • The transaction is less than €30
  • Any merchant initiated transactions, like subscriptions (the initial subscription payment is still subject to PSD2, however)
  • All cash payments

What do companies need to do to meet requirements?

So, how do you meet the requirements of PSD2? The first step to compliance is the most significant, and that's the implementation of multi-factor authentication (MFA) in the checkout flow, using at least two of the three strategies discussed earlier.

In addition, the EU requires the use of the 3D Secure 2.0 (3DS2) protocol during the checkout flow. Already in use worldwide under different brand names (Verified by Visa, Mastercard SecureCode, American Express SafeKey, etc.), the platform further secures online transactions by providing up to 150 data points to the bank to determine if a transaction is legitimate.

Dynamic Linking

PSD2 also requires that payment providers issue a unique authentication code for each transaction, and that any changes require a completely new code, and that the payment amount and recipient are visible when authenticating, what it calls "dynamic linking."

The text of the law explains this process of authentication in detail, which we've included below. There are four requirements:

(a) the payer is made aware of the amount of the payment transaction and of the payee;
(b) the authentication code generated is specific to the amount of the payment transaction, and the payee agreed to by the payer when initiating the transaction;
(c) the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;
(d) any change to the amount or the payee results in the invalidation of the authentication code generated.

Beyond Identity can help

PSD2 compliance is a significant undertaking for companies that haven't made strong customer authentication a priority. But if you plan to or are already doing business in the EU, that compliance is mandatory.

You don't need to do all the work to improve your authentication process, however. Beyond Identity's passwordless MFA platform makes PSD2 SCA compliance a breeze.

While it may seem from the requirements that two separate authentication processes are necessary for compliance, that's not the case. Beyond Identity can authenticate two factors of a customer's identity by default using passwordless authentication.

Beyond Identity uses a private encrypted key tied to the user’s device instead of the password, satisfying possession. At the same time, inherence is met by requiring users to confirm identity with a local device biometric before being granted access.

Frictionless Checkout Flows

The most common concerns over PSD2 compliance center around effects on the customer checkout experience. Some fear the new security requirements create friction in the checkout flow, leading to higher cart abandonment rates. That isn’t the case with Beyond Identity, where the login process is as simple as a click. The simplicity of it all is a net positive for both consumers and businesses alike.

Your business is fully compliant with PSD2's Strong Customer Authentication requirements, and your customers can be free from the time-consuming process of legacy multi-factor authentication.  

But the benefits of moving away from the password are not limited to a smooth, PSD2-compliant customer experience. Password-based attacks are the most common entry point for attackers, and by eliminating passwords completely, not even to use for recovery purposes, you can fully protect customers from account takeover fraud caused by credential attacks. 

See a demo of how your organization can build PSD2-compliant customer authentication with zero friction.