In 2018, PSD2, the revised Payment Service Directive will be implemented which will change banking as we know it. Banks and payment services will be required to comply with new legislation which aims to improve innovation, reinforce consumer protection, and improve the security of internet payments and account access within the EU and EEA.
What is PSD2?
The Payment Services Directive is an EU Directive, administered by the European Banking Authority to regulate payment services and providers. The directive’s purpose is to provide a level playing field by harmonising consumer protection as well as the rights and obligations of payment providers and users. The new requirements are designed to open access to banking customers, both consumers and businesses, through 3rd party providers and open APIs.
Security and flexibility will be key to the success of AIS (Account Information Service) and PIS (Payment Initiation Service) providers, it is important that payments are secure but in such a way that innovation is not fettered as a result. As licensed entities, the third parties will need to comply with PSD2 requirements, which include requirements for customer authentication and secure communications.
For banks, PSD2 poses a substantial economic challenge. Costs are expected to escalate due to new security requirements, a change in customer expectations, and increased digitalisation. Old infrastructure models will need to make way for new technological advances to bring banking up to speed. With consumers becoming more digital and mobile, there is a demand for services to be faster, more personalised, easy and accessible. Companies such as PayPal have leveraged this expectation and are excelling in the service they provide compared to the traditional bank. Now it is time for banking to rise up and accept the challenge ahead.
MIRACL’s PSD2 Survey
We surveyed officers, directors, security specialists and analysts at the top 70 European banks to gauge their feedback on where they stand with implementing the strong authentication requirements PSD2 so far. Here are the results…
Question 1: Are you ready for the PSD2 Authentication Requirement?
PSD2 is coming and will be part of the national legislation across 28 EU countries. But how ready are the banks for this deadline?
Just over 60% of banks in our survey confirm they will be ready by the 2018 PSD2 deadline. Where does that leave the rest? A confident 10% admit to already complying with PSD2, which leaves the remaining third at 27% admitting they will not be ready to comply with the PSD2 regulation for strong authentication.
Question 2: What is your approach to complying with the PSD2 Authentication Requirement?
The PSD2 directive has strong customer authentication at the center of its technical security standards to enable payment services in Europe. Countries will need to ensure that payment service providers implement strong customer authentication where the payer (a) accesses the payment account online, (b) initiates an electronic payment or (c) carries out any action through a remote channel which may result in the risk of payment fraud. Therefore deciding on a method for compliance was the next question asked:
We can see from the survey results there is almost an even split between how banks are choosing to comply with the strong authentication initiative, between purchasing a solution from a third-party provider (29.2%) and building a solution themselves in-house (37.5%), with a slight preference towards the latter option. Rather worryingly an exact third of the companies (33.3%) we surveyed still have not decided what to do yet, with under a year until the deadline hits this really is something that should be seriously considered now.
Question 3: Who is leading the authentication requirement?
The key decisions arising from PSD2 need to be handled and managed well. This is the chance for banks to take ownership of initiating some comparable advantages. When asked who was leading the authentication requirement within a financial services organization.
Even though PSD2 may seem quite technical in the nature of technology required, is it really the responsibility of the IT department? Again our banking audience seemed to be almost evenly split. 27% have given their executive leadership team the responsibility, while 33% had assigned responsibility to a business manager, and the slight majority had appointed their internal IT department with the task of getting strong authentication ready.
What we have learnt from our PSD2 Strong Authentication survey
As a result of our feedback from the officers, directors, security specialists and analysts at the top 70 European banks we surveyed we can assess the following trends for PSD2 strong authentication.
- Majority of banks (around 73%) feel they will be ready for PSD2 by the time the deadline hits, although this leaves 30% of banks still in the dark about what to do.
- Majority of banks (around 66%) have decided on how to move forward with complying with PSD2, whether this be an internal or external solution for two-factor authentication, this again leaves 33% of banks unsure of what they are going to do next.
- And finally this responsibility seems to be placed in no one person or teams preferred hands, from business managers to specialist teams to the trusty IT department, the banks we surveyed had chosen a spilt preference for PSD2 management.
A new solution for Strong Authentication which complies with PSD2
Luckily there are solutions such as MIRACL Trust® which can be quickly and easily implemented and administered to deliver the “strong authentication” required for PSD2. MIRACL Trust® is a cloud-based service that provides secure, multi-factor authentication to employees, partners, and external users without sending authentication credentials across the web for storage in the cloud in whole form.
MIRACL Trust® is delivered as a service, and completely eliminates risk of password database breach while providing stronger security than any competitive 2FA software or hardware solution. MIRACL Trust® improves the user login experience with an easy 4-digit pin which replaces passwords for web and mobile applicaitons, as well as being extendable to additional types of identity factors.
Tech City Bank (TCB) is an example of how a financial services organization can integrate MIRACL Trust® multi-factor authentication into their existing mobile and web applications while meeting the “strong authentication” requirement for PSD2. It provides an end-user scenario for downloading, activating and using MIRACL Trust® to securely authenticate both into a mobile application and into a web application (from the mobile app).
Note that the Tech City Bank demo site allows anyone to register and log in. In a real world scenario, such a site would typically also perform a user authorization process prior to online registration, and would then only allow known users to log in.
What you need to run the TCB demo:
- A smartphone (to run an Android or iPhone app)
- A computer (to open a web page with a browser)
- A working email address
- Five minutes