27/10/14

Towards Strong Authentication for Electronic Payments

Recently the presidency of the Council of Ministers recommended that strong customer authentication should be mandatory in a whole range of electronic payments, including for payment transactions made through digital wallet solutions and for electronic direct debit mandates. In its presidency compromise document the European Council presidency sets out its updated proposal for a new Payment Services Directive (PSD2).

"Strong customer authentication" means "a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence - where at least one of them , with the exception of inherence, should be non-reusable and non-replicable - that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data."

According to the current proposal, the EU Member States must ensure that a payment service provider applies strong customer authentication when the payer:

  • initiates an electronic payment transaction. For the initiation of remote payment transactions, Member States should ensure that payment service providers apply strong customer authentication that should include elements dynamically linking the transaction to a specific amount and a specific payee;
  • signs an electronic debit mandate, without prejudice to any other legal requirement on electronic signatures;
  • registers sensitive payment data to be used in a wallet solution. The presidency defined "wallet solutions" as "means solutions that allow a customer to register in an application personal data and data relating to one or more payment instruments in order to make payments with several e-merchants".

Strong customer authentication should not only be required for payment transactions but also when consumers want to access their payment account online. This concern is related to the ongoing discussion about third party's payment initiation services and "access to the account" about which time.lex reported earlier. This new update of the PSD2 proposal is also more detailed concerning the regulatory technical standards on authentication and communication (which are to be developed by the European Banking Authority, in cooperation with the European Central Bank).

dotted_texture