PSD2 (Second Payment Services Directive): Mid-October will see the final introduction of a directive to the regulation of payment services and payment service providers. The original Payment Services Directive (PSD) became legislation for all EU and EEA member states in 2007, and its successor (PSD2) was originally proposed in 2015. In order to effectively protect the consumer when making payments, the new rules are designed to promote the advancement and use of inventive online and mobile payments
According to a statement published in October 2015 by the European Commission: “This regulation is a step in the right direction of a single digital market; it will support businesses and consumers and stimulate the economy to thrive.”
PSD2: The Current State Of Compliance
The PSD2 (Second Payment Services Directive) was passed on November 2015, came into law in January 2018, and comes into full effect on September 14 2019. That date is the final deadline for all companies within the EU to comply with PSD2’s Regulatory Technical Standard (RTS). The RTS was created by the European Banking Authority (EBA) in order to enhance security protection levels and reduce the escalating amounts of financial fraud.
Mark McMurtrie, director at Payments Consultancy Ltd, explains that the intention of the PSD2 (Second Payment Services Directive) is to “harmonize payments across European markets” as well as level the playing field for FinTech companies to compete with banks.
The PSD2 (Second Payment Services Directive) is also about introducing the concept of open banking, allowing consumers to move around between banks, for UK-regulated banks to share financial data with authorized providers, and for establishing banks to share direct access to data on their customers.
The security element is the RTS, which McMurtrie explains was on a delayed timeline because of lobbying on accessing information via “screen scraping,” or whether data could be collected via APIs.
According to Alisdair Faulkner, chief identity officer for Business Services at LexisNexis Risk Solutions, screen scraping is used by third-party providers to access user account information from HTML forms, and is generally considered contrary to banks’ general terms and conditions.
“While screen scraping is prohibited under the directive, banks are required to provide customer data to third parties through unique, dedicated architectures,” he says. Screen scraping tools can copy available data to an external database and can be used outside of the financial institution.
Payment security consultant Neira Jones expressed that the RTS banned screen scraping as it is not secure, but there are two better options for collecting data – either via a public API, which is deliberately open to enable competition so that it is not done via a single bank’s API, or through the modification of the modern banking interface. “The problem is we’re asking the banks to open up their infrastructure,” Jones says.
PSD2 (Second Payment Services Directive): Are You Ready?
So why this directive is needed? McMurtrie says that the UK’s total card fraud cost is £566m, and £310m of that comes from e-commerce. That’s why the regulation has stepped in, he says, to avoid this rising and to reduce the number of e-commerce infringement.
However, McMurtrie adds that there is doubt about whether European businesses will be ready for the September 14 deadline, and his belief is that businesses will not be ready. “The EBA has required that each member state appoint a single, competent authority, and in the UK it is the Financial Conduct Authority (FCA). National regulators are the ones who have the job of enforcing compliance on any regulated financial institutions.”
These regulated financial institutions include banks, card issuers and merchant acquirers, but not corporations like enterprises or merchants, “but enforcement will be requested by those who are regulated.”
In terms of not achieving compliance, McMurtrie says the overall ecosystem is not ready for the deadline and the reasons include: computing requirements, late availability of the specifications, late solution availability and the regulators changing their mind on the specifications.
McMurtrie continues: “In the UK, what is happening from a card payment perspective is that a roadmap to compliance is being negotiated with the regulator, and UK Finance represents all of the financial institutions and providers. They have created a phased roadmap with milestones and are in active negotiations with the FCA to ask for more time for compliance with the scheme.”
He points out that an additional 18 months was being requested, and that an official decision is expected in August. That “managed roadmap is under intense discussion,” he says, and that an official decision will require an agreed plan with several milestones. “This would allow active enforcement to be delayed.”
In a statement published in June 2019, the FCA stated: “The legal deadline for complying with the RTS on Strong Customer Authentication remains September 14 2019.
Nevertheless, the FCA acknowledges the difficulties of reaching this deadline and partnered with the business sector to develop a plan to transition the industry to enforce Strong Customer Authentication (SCA) for e-commerce card transactions as early as possible.”
For next steps, the FCA said that it is “working with industry on creating a plan” that will determine a blueprint for compliance and readiness, a timetable for achieving this, and essential milestones and priorities for improving consumer authentication security and eliminating forgery along the way.
The statement said that the FCA will not take enforcement action against firms if they do not meet the relevant requirements for strong authentication from 14th September 2019 onwards, in covered areas of the negotiated migration program, where there is proof that the necessary measures have been taken to comply.
PSD2: What Role Does Security Play?
The implementation of strict security standards for the execution and processing of electronic payments is what makes it strictly relevant for the cybersecurity industry.
In particular, articles 94-98 (in chapter four) of the directive cover the areas of security and data protection. Article 94 establishes here, which “payment gateway providers may only acquire, process and preserve personal data required to provide their payment services with the explicit permission of the user of the payment service” – resonating the GDPR protocols.
Neira Jones explains that “PSD2 (Second Payment Services Directive) is much broader in terms of who it applies to” than PSD, as the PSD2 RTS contains directives on strong customer authentication and secure communication.
Jones adds: “Modification of the online banking interface means providing an interface for the third party upon authentication of the customer” and this means securely authenticating anyone who is accessing the data.
McMurtrie says that strong customer authentication means more use of multi-factor authentication, typically using two factors: knowledge elements, possession elements and inherent elements. “Each person has to be authenticated by a means of authentication from at least two of these.”
He says that one of the issues here is that e-commerce typically does not involve physical presence, and this has led to a reliance on passwords. He predicts more of a move to the use of biometrics as one of the inherent elements.
As well as authentication, Jones says that it is about securing the connection interface between the user and the third party, or the user and the bank. This is where security plays a major part in PSD2 (Second Payment Services Directive), as Jones explains that “if your CISO is not involved in PSD2 endeavors, talk to them as that is their job, and there are various specifications in security in PSD2 as it is about basic requirements that are nothing new.”
Jones admits that, since she has been working on PSD2 (Second Payment Services Directive), she is yet to find a CISO who has been involved in implementing the regulation.
One thing that GDPR has driven is better standards for incident response to its 72-hour data breach reporting rule. Likewise, the PSD2 RTS article 96 states that “in the event of a major operational or compliance incident, payment service providers should inform the payment service provider without unnecessary delay to the relevant authority in the home Member State” and as well as provide the regulator with the appropriate incident records.
However, Paul van der Lee, director, EMEA, North at Ping Identity, argues that it is unfair to compare GDPR and PSD2 (Second Payment Services Directive), as “the aims of the regulations are different.”
He mentions: “PSD2 (Second Payment Services Directive) seeks not only to protect consumer rights and allow complaints to be handled properly, but also to create more opportunities for new service providers and enabling new products and services, whilst at the same time, increasing security.”
“It took some time post-GDPR for companies to get fully up to speed on the required level of response to major incidents and we are only just seeing fines at the level that was originally threatened.”
PSD2 (Second Payment Services Directive): Have You Heard the News?
Jones argues that there is a general lack of understanding about PSD2 (Second Payment Services Directive) within the security sector, saying it is only in the industry’s “vague consciousness.”
Part of the challenge is that some aspects of the RTS remain open to interpretation, points out van der Lee, and what some people believe to be compliance falls short in the eyes of other experts. “Ultimately, customer adoption will impact what organizations seek to do with regards to PSD2. The organizations that are best able to develop new offerings based on the disruption will get a competitive advantage, and the people (and technology companies) that can make that happen will become very valuable.”
What about fraud? – Will PSD2 go far enough to rule that out? Jones says she feels it has “got more than enough” to do so, while McMurtrie says that there has been low awareness levels regarding the payment fraud problem that PSD2 (Second Payment Services Directive) is trying to resolve. “This lack of consistency is a problem for understanding the directive, and likely even harder for those trying to comply with it,” he says.
Overall, the aim to reduce payment fraud should be welcomed, and while the time has been provided to achieve compliance, the feeling that the majority will not achieve it is a concern. A survey of over 2000 British adults by Equifax found that 66% rate “safe and secure payments” as the most important factor in the online checkout process, in exchange for greater payment security, 76 percent would indeed be willing to consider a slower or less efficient checkout experience.
Perhaps this is evident of siloes across the business; if PSD2 (Second Payment Services Directive) is not seen as a priority for security, but is still seen to be a responsibility of the fraud team, then a better converged business will deal with it more efficiently.