Understanding the Points of Differentiation Between PSD and PSD2

Transcription

1 ABSTRACT The use of biometric authentication to combat fraud and improve the authentication experience for users is widely understood by banks and payment system providers. But, in light of the recent directives around the PSD2 regulation, is there more value in biometrics for banks than meets the eye? Biometrics and PSD2 Copyright AimBrain Solutions Ltd. All rights reserved.

2 Executive Summary The use of biometric authentication to combat fraud and improve the authentication experience for users is widely understood by banks and payment system providers. But, in light of the recent directives around the PSD2 regulation, is there more value in biometrics for banks than meets the eye? As banks and payment providers work towards implementing PSD2, many are asking whether or not biometric authentication can perhaps help address the ever-growing challenge of complying with these regulations. This whitepaper will look to answer these questions and examine the new PSD2 directive on payment services and provide practical implementation advice. Understanding the History of PSD2 Before we look at the issues and how we can overcome them, we need to understand PSD2 and how it is going to change the payments landscape. In 2007, a Directive on Payment Services (PSD) was adopted to create a single market for payments within the European Union. Rules were created along with guidelines for modernising payment processing across Europe with the key aim of simplification. The latest version of the directive remains true to this objective of ease and simplification. It continues to clearly emphasize two key goals one, promote competition from new market entrants and two, reduce costs. While the original PSD achieved good progress towards this, continuous feedback from the market was that it still did not create a level playing field for market participants. As a result, an updated directive, Directive on Payment Services 2 (or PSD2) was proposed in Three years later, on January 12 th 2016, PSD2 came into force and will be implemented into national law of member states by 13 th January (*Note that the impact a Brexit will have on PSD2 will be the subject of another whitepaper in this series.) Why PSD2? So now that the directive is enforced, let s understand in-depth what PSD2 is trying to achieve: Improved consumer protections through strong customer authentication or through the use of a risk-based approach to authentication Standardised, integrated, and overall improved payment efficiency in the European Union Promotion of innovation in the payment space Cost reduction in the payment space Improved clarity on the use of mobile payments and other emerging payment methods Ease-of-entry for new payment service providers (referred to as third party providers, TPPs) through enabling new services: Payment Initiation Services (PIS) and Account Information Services (AIS) Harmonised pricing and improved security of payment processing across the European Union Incorporation of new and emerging payment services into the regulation Understanding the Points of Differentiation Between PSD and PSD2 To understand the changes from PSD to PSD2, let s look at one key practical difference. Today, when a consumer purchases online, they must enter details onto a merchant s website. The retailer receives the money via a number of intermediaries. Under PSD2, the retailer will be able to ask the consumer Copyright AimBrain Solutions Ltd. All rights reserved. P a g e 1

3 aka Payment Service User (PSU) for permission to use their bank details. The PSU will then be required to authenticate with his/her bank or the Account Servicing Payment Service Provider (ASPSP) using multifactor authentication. Once authenticated, and successfully authorised, the retailer will receive the payment directly from PSUs bank thus making the use of an intermediary (schemes and acquirers) no longer necessary. How does this happen? To start, the retailer can now connect directly to the bank using an Application Programming Interface (API). In payment IT terms the availability of this API means that companies can connect to banks directly. Clearly, there is going to be a wave of new Fintech companies that can now provide services that they had previously not been able to. This is where PIS and AIS providers have the opportunity to really innovate and change the payment landscape. In today s environment, if you have multiple bank relationships you need to get details (such as a balance) from each bank separately. PSD2 simplifies this by enabling you to view all of your bank details on one single portal by introducing Account Information Service Providers (AISP s). AISP s will provide the Payment Service User (PSU) with aggregated online information on one or more payment accounts held with one or more other payment service providers and accessed via online interfaces of the account servicing payment service provider (ASPSP). The PSU is thus able to have an overall view of his/her financial situation immediately and at any given moment. So What About Biometric Authentication? With PSD2 comes a host of new consumer protections. These protections range from new refund rights around direct debits to limiting credit card charges to enhanced fraud protections. It also adds the need for stronger customer authentication. Enter biometric authentication. Going forward, PSPs are required to apply "strong customer authentication" measures when a PSU initiates "an electronic payment transaction". What does stronger customer authentication mean? Put simply, it means that a Payment Service Provider (PSP) should now be confident that the Payment Service User (PSU) is truly and accurately who the PSUs says they are. To ensure that this happens, PSD2 has tightened up the authentication rules significantly. From an official regulatory perspective, Stronger Customer Authentication is defined by the Commission as "a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data". In practical payment speak, this means multi-factor authentication. Let s now look more closely at the words knowledge, possession, and inherence: Knowledge o This is something only a user will know such as a PIN Possession o This is something only the user possesses such as a token Copyright AimBrain Solutions Ltd. All rights reserved. P a g e 2

4 Inherence o This is something that only the user is such as a biometric Before we examine the practical implementation and opportunities that this part of the regulation presents, we need to understand how important it is for banks to comply with the multi-factor authentication. To do this, let s discuss what will happen to a bank if it fails to implement the Stronger Authentication for Payments aspect of PSD2. Any bank that fails to apply the Strong Authentication for Payments cannot require payers to "bear any financial consequences" unless the payer has acted fraudulently. Additionally, a PSP would be required to compensate other PSPs or even intermediaries of the PSP "for any losses incurred or sums paid" by those other businesses as a result of their failure to apply strong customer authentication. Clearly this is very important and there is even more to it. Third party PSPs that initiate payment transactions are also required to ensure they apply Strong Customer Authentication. As per PSD2, third parties should be free "to rely on the authentication methods" of ASPSPs "when acting on behalf of the payment service user". In terms of practical implementation, it is most likely that banks will rely on the knowledge factor option such as a PIN but could decide to choose between possession and inherence as the second factor of authentication. This is where we need to turn our attention to the consumer or PSU and how PSP s will need to offer consumer-friendly solutions in order to win and retain market share. It is our opinion that relying on possession as the second factor of authentication will not the preferred option. While a possession-focused solution would be technologically strong it may not provide the level of accuracy required to achieve Stronger Authentication. Possession-focused solutions have been known to have more points failure and may be more susceptible to fraud attacks. Additionally, a possession-focused solution is not particularly consumerfriendly, potentially sacrificing market share and competitive advantages for the PSP. As an alternative, many banks are looking into inherence options to address the second factor of authentication. One such option is biometrics. Why? Because quite simply, it is much more difficult to fraud a biometric device than it is to steal something in a user s possession. Using inherence as that second factor caters to both security requirements and the user experience priorities of PSPs giving them the best of both worlds so to speak. Furthermore, with mobile devices becoming more prominent in the consumer s daily life and smartphones an extension of their social and digital identity, it is important to consider the impact of a user- unfriendly experience. Copyright AimBrain Solutions Ltd. All rights reserved. P a g e 3

5 Biometric Authentication is consumer-friendly. It works in real-time and is extremely easy for banks to implement. It provides banks with better user experience capabilities and better risk management. Additionally, and very importantly, it addresses the requirements for Stronger Authentication through more accurate validation. Biometric technology makes identity fraud less likely. This means that banks can save time and money and at the same fight fraud. While a future whitepaper will discuss the strengths and weaknesses of biometrics in more detail, banks have already begun to actively look at and evaluate behavioural-specific biometrics for authentication as the way to comply with PSD2. Why? Because behavioural authentication provides the necessary balance between security and a positive customer experience. By being able to assess the customer s behaviour, banks/aspsps are able to assess the level of risk and subsequently, the level of authentication required for the specific scenario. This benefit and capability is extremely important because per PSD2, PSPs can be exempted from applying strong customer authentication when the associated risk is low. Also, because behavioural authentication runs in the background it is invisible to users. It does not infringe the customer journey and therefore does not sacrifice the quality of the user experience all while providing rigorous customer authentication. Banks using inherence (specifically behavioural biometrics) as their second authentication factor, importantly have somewhere to go. They have the ability to incorporate another layer of security into their authentication protocol if a high-risk is identified during the process. Rather than declining the user, they can step-up their authentication in these high-risk scenarios identified by behavioural biometrics by deciding to use possession as a third factor of authentication. Adding this additional layer helps to prevent a negative customer journey. How Does It Work? The Behavioural Biometric Use Case 1. User enters a mobile payment app and enters a PIN (Knowledge factor, tick). 2. Behavioural Authentication provides the bank with a session score so the bank knows whether the user really is who they say they are (Inherence factor, tick). 3. Behavioural Authentication Session Score is sent to the bank all the time the user is in the app important as the Strong Customer Authentication needs to be at the point of payment (Inherence factor tick). Copyright AimBrain Solutions Ltd. All rights reserved. P a g e 4

6 Summary In summary, there are a few key points to keep in mind when working towards implementing PSD2 compliance practices: Banks/ASPSPs will need to make significant changes to align with PSD2. Public APIs will need to be opened to PIS and AIS players Multi-factor authentication will need to be incorporated to ensure strong customer authentication. Security credentials will need to align with at least two of the three option: i) Knowledge ii) Possession and iii) Inherence It is assumed that Knowledge will be one of the factors used for authentication Low risk transactions can be exempted from strong customer authentication Inherence provides a stronger authentication and better customer journey Biometrics and Behavioural pattern helps assess the risk which can drive the need for multifactor authentication About the Author, AimBrain AimBrain, a next-generation biometrics engineering company, helps financial institutions easily, securely, and accurately authenticate their mobile banking users. Using a patent-pending, context-based step-up authentication methodology, AimBrain is helping some of the world s largest financial institutions know if their users really are who they say they are. AimBrain delivers advanced biometrics technology to banks so they can stay ahead of mobile fraud through a secure and frictionless authentication experience. Supported by Episode1, a leading UK venture capitalist, AimBrain is largely recognised for their potential to revolutionise the world of money and has been named as a 2016 FinTech50 finalist. Contributors Andrew McFarlane and Anshuman Bhardwaj from Accenture. Copyright AimBrain Solutions Ltd. All rights reserved. P a g e 5