White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

Similar documents
PSD2 webinar session - Q&A

PSD2 Compliance - Q&A

PSD2: Risks, Opportunities and New Horizons

Strong Customer Authentication and common and secure communication under PSD2. PSD2 in a nutshell

Authentication (Strong Customer Authentication)

Identity & security CLOUDCARD+ When security meets convenience

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

FIDO & PSD2. Providing for a satisfactory customer journey. April, Copyright 2018 FIDO Alliance All Rights Reserved.

Open Banking Consent Model Guidelines. Part 1: Implementation

Consent Model Guidelines

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

FIDO Alliance Response to the European Banking Authority (EBA)

How Ezio ebanking Solutions help banks comply with PSD2

FFIEC CONSUMER GUIDANCE

Joint Initiative on a PSD2 Compliant XS2A Interface NextGenPSD2 XS2A Framework Operational Rules

Smart guide to mobile call recording for MiFID II

EY s data privacy service offering

FFIEC CONSUMER GUIDANCE

ASSESSMENT LAYERED SECURITY

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Next Generation Authentication

Authentication (SCA) and Common and Secure Communication

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Overview of Akamai s Personal Data Processing Activities and Role

Keep the Door Open for Users and Closed to Hackers

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

Authentication and Fraud Detection Buyer s Guide

PSD2 & OPEN BANKING Transform Challenge into Opportunity with Identity & Access Management E-BOOK

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

NextGenPSD2 Conference 2017

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Using Biometric Authentication to Elevate Enterprise Security

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Authentication Methods

Regulating Cyber: the UK s plans for the NIS Directive

Safelayer's Adaptive Authentication: Increased security through context information

PCI DSS Addressing Cyber-Security Threats. ETCAA June Gabriel Leperlier

PSD2 open banking for Prepaid Programme Managers. Implications and Requirements

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Authentication Technology for a Smart eid Infrastructure.

ELECTRONIC BANKING & ONLINE AUTHENTICATION

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

European Union Agency for Network and Information Security

A NEW MODEL FOR AUTHENTICATION

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

GDPR Update and ENISA guidelines

EU General Data Protection Regulation (GDPR) Achieving compliance

A comprehensive approach on personal data protection in the European Union

SOLUTION BRIEF RSA SECURID SUITE ACCELERATE BUSINESS WHILE MANAGING IDENTITY RISK

Martijn Loderus. Merritt Maxim. Principal Analyst Forrester. Director & Global Practice Partner for Advisory Consulting Janrain

Village Software. Security Assessment Report

Trending: Mobile Payments. Dan McLoughlin, VASCO Data Security Julian Sawyer, Starling Bank

INNOVATIVE IT- SECURITY FOR THE BANKING AND PAYMENT INDUSTRY

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Request for exemption from the obligation to set up a contingency mechanism (SUP 15C Annex 1D)

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

How Next Generation Trusted Identities Can Help Transform Your Business

The University of Queensland

PSD2/EIDAS DEMONSTRATIONS

FIDO Alliance: Standards-based Solutions for Simpler, Strong Authentication

Building the Business Case for Strong Authentication

FAQ about the General Data Protection Regulation (GDPR)

6 Vulnerabilities of the Retail Payment Ecosystem

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

How WhereScape Data Automation Ensures You Are GDPR Compliant

Combating Cyber Risk in the Supply Chain

ENISA s Position on the NIS Directive

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

MITIGATE CYBER ATTACK RISK

SECURITY & PRIVACY DOCUMENTATION

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Discussion on MS contribution to the WP2018

IDENTITY AND THE NEW AGE OF ENTERPRISE SECURITY BEN SMITH CISSP CRISC CIPT RSA FIELD CTO

Safeguarding company from cyber-crimes and other technology scams ASSOCHAM

Important Information

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Privileged Account Security: A Balanced Approach to Securing Unix Environments

A practical guide to IT security

SWAMID Person-Proofed Multi-Factor Profile

Cyber Security and Data Protection: Huge Penalties, Nowhere to Hide

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

INTELLIGENCE DRIVEN GRC FOR SECURITY

Fighting Fraud with Behavioral Biometrics and Cognitive Fraud Detection. IBM Security s Brooke Satti Charles on the Power of These New Capabilities

Trust Services for Electronic Transactions

VERSION 1.3 MAY 1, 2018 SNOWFLY PRIVACY POLICY SNOWFLY PERFORMANCE INC. P.O. BOX 95254, SOUTH JORDAN, UT

The Benefits of Strong Authentication for the Centers for Medicare and Medicaid Services

BIOEVENTS PRIVACY POLICY

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

POMONA EUROPE ADVISORS LIMITED

New Paradigms of Digital Identity:

AN IPSWITCH WHITEPAPER. 7 Steps to Compliance with GDPR. How the General Data Protection Regulation Applies to External File Transfers

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Transcription:

White Paper The Impact of Payment Services Directive II (PSD2) on Authentication & Security

First Edition June 2016 Goode Intelligence All Rights Reserved Published by: Goode Intelligence Sponsored by: RSA www.goodeintelligence.com info@goodeintelligence.com Whilst information, advice or comment is believed to be correct at time of publication, the publisher cannot accept any responsibility for its completeness or accuracy. Accordingly, the publisher, author, or distributor shall not be liable to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by what is contained in or left out of this publication. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electrical, mechanical, photocopying and recording without the written permission of Goode Intelligence.

CONTENTS What is Payment Services Directive II?... 2 Overview... 2 Payment Security and Strong Customer Authentication (SCA)... 3 What is Strong Customer Authentication (SCA)?... 3 Who is affected... 4 Timelines for Compliance... 4 The impact of PSD2 XS2A on Convenient Authentication... 5 Meeting the Needs of PSD2 with RSA Adaptive Authentication... 6 Other Security Implications from PSD2... 7 The need for integrated security solutions for PSD2 compliance... 8 Summary... 8 About Goode Intelligence... 9 Goode Intelligence 2016 www.goodeintelligence.com

This white paper from Goode Intelligence (GI) explores the implications of the European Commission s Payment Services Directive II (PSD2) for authentication and security. WHAT IS PAYMENT SERVICES DIRECTIVE II? Overview The European Commission s (EC) Payment Services Directive II (PSD2) replaces the existing PSD, first introduced in 2007, and aims to standardize and modernize how payments work across the European Union (EU). PSD was developed to create a legally binding single payment services market that EU member states could regulate. PSD2 builds on the first directive and is also a direct reaction to a wave of innovative technology-led payment services. It now means that previously unregulated third party payment service providers (TPPs) can be regulated as they will now fall under PSD2. PSD2 focuses on consumer protection, developing a framework that nurtures competition, innovation and security 1 across the EU. The main objectives of PSD2 are to: Contribute more to a more integrated and efficient European Payments market Improve the level playing field for payment service providers (PSPs), including new players Make payments safer and more secure Protect consumers Encourage lower prices for payments The European Parliament adopted PSD2 in October 2015 and EU member states have two years in which to implement the new procedures. The EC states that there is a different date of application for the new security measures, including Strong Customer Authentication 1 Directive on Payment Services (PSD2), European Commission: http://ec.europa.eu/finance/payments/framework/index_en.htm Goode Intelligence 2016 P a g e 2 www.goodeintelligence.com

(SCA) and standards for secure communication. This is subject to the adoption of the regulatory technical standards which are being developed by the European Banking Authority (EBA) and adopted by the EC. It is anticipated that the new security measures shall apply 18 months after the adoption of the standards by the EC. [Breakout Box: EBA Framework for Strong Customer Authentication. The EBA s guidelines were published in December 2014 to provide a solid legal basis for the security of internet payments within the EU and PSPs operating in the EU. The EBA security guidelines provide PSPs with a minimum set of guidelines to ensure they have a secure framework to protect internet payments against fraud and pre-empted the security requirements found in PSD2.] Payment Security and Strong Customer Authentication (SCA) PSD2 provides rules for payment security and customer authentication, concentrating on protecting consumers when paying on the internet. For payment security, the directive states that all payment service providers, including banks, payment institutions or third party providers (TPPs), will need to prove that they have certain security measures in place ensuring safe and secure payments. The payment service provider will have to carry out an assessment of the operational and security risks at stake and the measures taken on a yearly basis. PSD2 also acknowledges the need for authentication mechanisms to match the context of the payment transaction. Specifically, Article 98.3 specifies exemptions for strong customer authentication in certain scenarios including: Low value payments Outgoing payments to trusted beneficiaries Low-risk transactions based on a transaction risk analysis What is Strong Customer Authentication (SCA)? Under PSD2, PSPs will be obliged to apply Strong Customer Authentication (SCA) when a payer initiates an electronic payment transaction. The EC defines SCA as a process that validates the identity of the user of a payment service or of the payment transaction. SCA is based on the use of two or more elements: 1. Knowledge something only the user knows, e.g. a password or a PIN 2. Possession - something only the user possesses, e.g. a card or an authentication code (One-Time-Password or OTP) generating device 3. Inherence something the user is, e.g. biometric authenticator such as fingerprint, voice or eye-print PSD2 states that these elements have to be independent of each, meaning that if one element is breached or compromised then this does not compromise the reliability of the others. The design of the authentication solution must also protect the confidentiality of the authentication data or identity credentials. Goode Intelligence 2016 P a g e 3 www.goodeintelligence.com

The security requirements for remote transactions, including online payments, are even stricter and are intended to minimise the risks of mistaken or fraudulent transactions. Remote transactions require a dynamic link to the amount of the transaction and the account of the payee. Who is affected PSD2 applies to all payment service providers (PSPs), including banks, payment institutions or third party providers (TPPs) and relates to all electronic means of payment. There are exemptions to this rule and the EBA will define what these exemptions are. The EC provides an example of low value payments at the point of sale (POS) to facilitate the use of mobile and contactless payments. Timelines for Compliance The new rules will apply in all EU Member States two years after the publication of the directive, which was 23 December 2015. It came into force on 12 January 2016 and Member States will have until 13 January 2018 to implement it into national laws. In the two years from its publications, the PSD rules will be in force. 23 December 2015 PSD2 Published 13 January 2018 PSD2 has to be Implemented into national laws 12 January 2016 PSD2 comes into force Goode Intelligence 2016 P a g e 4 www.goodeintelligence.com

The impact of PSD2 XS2A on Convenient Authentication The inclusion of TPPs is important to authentication and security, in particular in its ability for customer s to differentiate between services. PSD2 aims to open up the European payments market to new entrants and to also allow third parties access to account via APIs. This is called PSD2 XS2A. Figure 1 details the changes that PSD2 XS2A will introduce by allowing TPPs access to payment account details within a bank s payment infrastructure via APIs. Figure 1: The impact of PSD2 XS2A The APIs would allow customers to perform payment functions from a variety of applications including social media and messaging platforms. This raises questions on how security, including SCA, is managed. Exactly how security and authentication is managed in terms of allowing TPPs to access bank accounts, defined as Account Information Service Providers (AS PSP) in PSD2, has still to be clarified by the EBA. What it does do is make the authentication process incredibly important from a usability perspective. This is because consumers will have more choice when performing payment functions and the decision to use one app over another could well be made on how convenient the authentication mechanism is. Goode Intelligence 2016 P a g e 5 www.goodeintelligence.com

MEETING THE NEEDS OF PSD2 WITH RSA ADAPTIVE AUTHENTICATION PSD2 requires payments services providers to implement strong customer authentication (SCA) when accessing payment accounts online, initiating electronic payments and through remote channels that have a risk of payment fraud. SCA is based on the use of the use of two or more elements that include Knowledge, Possession and Inherence and the authentication mechanism must work in a range of payment channels that include web and mobile. Figure 2: Payment Workflow with Adaptive Authentication Source: RSA Additionally, transaction details, e.g. payee and transaction amount information, need to be presented to the customer as part of the strong authentication mechanism. This has to be achieved in a manner that supports the development of user-friendly, accessible and innovative means of payment. RSA Adaptive Authentication is a risk-based authentication and fraud detection platform that provides advanced protection across both Web and mobile users. The Adaptive Authentication Mobile Module leverages RSA s proven Risk Engine which includes a mobileoptimized risk model that analyzes a variety of risk indicators, including mobile device identifiers, location and behavioral profiles, to identify fraudulent or suspicious activity. Goode Intelligence 2016 P a g e 6 www.goodeintelligence.com

Adaptive Authentication can be used to secure multiple types of payment including web and mobile (browsers, WAP browsers and mobile apps). The Adaptive Authentication Mobile SDK also supports biometrics for step-up authentication including fingerprint and EyeVerify s Eyeprint ID. These features enable RSA Adaptive Authentication to support the requirements of PSD2, including strong customer authentication, payment transaction signing and intelligent security applied to post-authentication activities. RSA Adaptive Authentication allows organizations to match the authentication experience to the context of the payment transaction. All transactions are monitored by measuring over 100 risk indicators and assigned a unique risk score. For payments that are considered to be low-risk, strong authentication is completely invisible to the end user, supporting the need for an optimized user experience. Conversely, high-risk payments would be matched against the appropriate authentication mechanism, depending on what an organization chooses. RSA Adaptive Authentication supports numerous means of step-up authentication for both Web and mobile transactions including out-of-band SMS and biometrics via fingerprint and eyeprint. RSA Adaptive Authentication works in conjunction with other products and services including RSA Web Threat Detection to enhance fraud identification and investigation across a number of financial attacks including fraudulent payments, account takeover, password guessing, and advanced malware. Tight integration with other security tools such as Web Threat Detection enable organizations to meet the tougher security demands of PSD2 allowing them to strengthen security in an integrated joined-up approach OTHER SECURITY IMPLICATIONS FROM PSD2 It is not only strong customer authentication mechanisms that are a part of PSD2, the directive has a number of other obligations that impact how an organization designs and deploys security solutions. The EBA will play an ever-more important role in defining security protocols, technical standards and policies going forward. This could include establishing a security certification programme managed by the EBA. Non-authentication security proposals include: The establishment of formal internal security frameworks to assess and report on operational matters including security issues Security Incident reporting to both regulators and customers Mandatory security assessment reporting to regulators on security measures and their effectiveness Goode Intelligence 2016 P a g e 7 www.goodeintelligence.com

The need for integrated security solutions for PSD2 compliance The directive requires that security should be integrated and not deployed in isolation to ensure that payment services are safe and secure. RSA s integrated security solutions enable organizations to meet the security requirements of PSD2, including authentication, authorization and other security aspects of the directive. This enables organizations involved in the payment industry to deploy integrated security solutions that protect both the payee and payment services infrastructure. The ability to protect major components of the PSD2 payment ecosystem in a connected way ensures that organizations fully meet the requirements of the PSD2 allowing them to significantly reduce their threat exposure. The ability to blend external threat intelligence, risk-based authentication, behavioral analytics, and ecommerce fraud detection with both payment transaction monitoring and transaction signing allows payment service providers to concentrate on the business of providing innovative and convenient payment solutions. SUMMARY This white paper explored the implications of the European Commission s Payment Services Directive II (PSD2) for authentication and security. PSD2 focuses on consumer protection, developing a framework that nurtures competition, innovation and security across the EU. The directive creates a legally binding requirement for organizations operating in the EU payments industry to deploy Strong Customer Authentication (SCA). SCA is based on the use of two or more elements: 1. Knowledge something only the user knows, e.g. a password or a PIN 2. Possession - something only the user possesses, e.g. a card or an authentication code (One-Time-Password or OTP) generating device 3. Inherence something the user is, e.g. biometric authenticator such as fingerprint, eyeprint or voice recognition PSD2 also fosters payment innovation and opens up the payment infrastructure to third party providers (TTPs) through access to account (XS2A) APIs. Authentication mechanisms that are convenient and work across all payment channels will differentiate these TTPs in what will be a very competitive environment. RSA Adaptive Authentication is a risk-based authentication and fraud detection platform that provides advanced protection across both Web and mobile users meeting the needs of PSD2 SCA and also ensuring that the business can develop user-friendly, accessible and innovative means of payment. The directive additionally aims to strengthen security across the entire payment ecosystem and recommends an integrated approach in managing security for the full payment lifecycle from pre-authentication, authentication, transaction initiation and post authentication functions. Goode Intelligence 2016 P a g e 8 www.goodeintelligence.com

RSA s integrated security capabilities allow organizations to blend external threat intelligence, risk based authentication, behavioral analytics, and ecommerce fraud detection with payment transaction monitoring to ensure they comply with all of the security requirements of PSD2. ABOUT RSA RSA provides more than 30,000 customers around the world with the essential security capabilities to protect their most valuable assets from cyber threats. With RSA s award-winning products, organizations effectively detect, investigate, and respond to advanced attacks; confirm and manage identities; and ultimately, reduce IP theft, fraud, and cybercrime. For more information, go to www.rsa.com. ABOUT GOODE INTELLIGENCE Since being founded by Alan Goode in 2007, Goode Intelligence has built up a strong reputation for providing quality research and consultancy services in mobile security, identity and biometrics. For more information on this or any other research please visit www.goodeintelligence.com. This document is the copyright of Goode Intelligence and may not be reproduced, distributed, archived, or transmitted in any form or by any means without prior written consent by Goode Intelligence. Goode Intelligence 2016 P a g e 9 www.goodeintelligence.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback