PSD2 XS2A: What you need to know about the Discussion Paper of the European Banking Authority
|Berichtdatum||10 december 2015|
Artikel van Innopay, door Mounaim Cortet en Vincent Jansen
Following the adoption of the revised Payments Services Directive (PSD2) by the Council on 16 November 2015, the European Banking Authority (EBA) has published its long anticipated Discussion Paper on ‘strong customer authentication  and secure communication’ on 8 December.
The Regulatory Technical Standards (RTS) on strong customer authentication and secure communication, on which the EBA has issued the Discussion Paper, are key to achieving the PSD2 objectives of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
In this blog Innopay’s PSD2 experts will discuss the rationale of the Discussion Paper on RTS, frame the security challenges that emerge from enabling third party access to payment accounts for Payment Initiation and Account Information Services (‘XS2A’) and conclude by defining the main challenges the EBA will encounter during its challenging task of developing the RTS. For this purpose the authors also draw on their experience as expert advisor and facilitator of the Open Transaction Alliance (OTA) .
Why this Discussion Paper by the EBA?
EBA should, when developing this challenging RTS, ensure that it consults all relevant stakeholders, including those in the payment services market, reflecting all interests involved. If necessary for getting a proper balance of views, EBA should make a particular effort to obtain the views of relevant non-bank actors.
The content of the RTS on strong customer authentication and secure communication, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify requirements for:
Strong customer authentication will apply to:
In essence, core to the RTS will be the development of adequate measures to address security challenges that emerge from enabling third party access to payment accounts for Payment Initiation and Account Information Services (‘XS2A’).
Framing the XS2A security challenge: what problem are we actually trying to solve?
Figure 1: framing the XS2A security and authentication challenge
The RTS on strong customer authentication and secure communication are supposed to address the relationships between actors involved in a transaction and related security components.
Different market actors (third parties, AS PSPs) will wish to employ different security technologies (static/dynamic, classical/emerging, risk-dependent, device fingerprinting, etc.). Merchants will freely choose those actors that best serve their needs. In any scenario authentication options will have to comply with the EBA’s RTS, but in the end it all comes down to what information the AS PSP will receive to base its approval upon.
EBA’s main challenges during the RTS development process
The stringent PSD2 requirements for strong customer authentication will make authentication a key (strategic) focus for banks, payment initiation and account information service providers, but also for merchants and consumers in Europe. The aim of PSD2 is to reduce fraud in online transactions with strong customer authentication, or, alternatively, a risk-based approach to authentication as long as this is effective in managing fraud. Put differently, a fine balance should be found between security and fraud prevention on the one hand and the convenience of payment initiation and account information services on the other hand. The focus should be on providing customers innovative, safe, simple and consistent consumer experiences in the digital context by balancing these needs taking into account the specific use case (i.e. payment initiation or account information).
Understanding the strategic implications of PSD2 XS2A and the more stringent security measures can be a challenging task. Contact us to discuss the implications for your organization.
Rapport: Cryptocurrencies (zoals de Bitcoin) [23-03-2015]
Onderzoek 4-partijenmodel eFacturatie [27-04-2012]