Strong Customer Authentication for PSD2
What Payment Service Providers should know
The revised European Payment Service Directive (PSD2) requires Strong Customer Authentication to strengthen transaction security and sensitive data protection. The European Bank Authority (EBA) has been mandated by PSD2 to develop a draft Regulatory Technical Standard (RTS) specifying requirements of Strong Customer Authentication and possible exemptions.
What is strong customer authentication under PSD2?
In order to perform Strong Customer Authentication, PSD2 requires the use of at least two independent elements categorized as:
What only users know
What users have
Token, mobile, card…
Who users are
Fingerprint, facial recognition…
PSD2 outlines that the implementation should include a mechanism to dynamically link the transaction to a specific amount and specific payee.
When is strong customer authentication mandatory?
Regardless the operation or transaction is initiated trough a Payment Initiation Service Providers (PISP), Account Information Service Providers (AISP), or payee Account Servicing Payment Service Providers (ASPSP), Strong Customer Authentication should apply unless designated exemptions cases, as in the following examples:
When accessing online the balance, unless Strong Customer Authentication occurred less than 90 days ago
For contactless electronic payment transaction, unless below EUR 50 and EUR 150 cumulatively
For online electronic payment transaction, unless below EUR 30 and EUR 150 cumulatively
When modifying the list of trusted beneficiaries for which Strong Customer Authentication exemption may apply
When setting up a recurring transaction (same payer, same amount)
When initiating any credit transfer, unless to self and in the same ASPSP
When real time Transaction Risk Analysis (TRA) is performed by the PSP, the exemption threshold can be raised to higher amounts if the current fraud rate measured by the PSP doesn't exceed the reference fraud rate given by the RTS Exemption Threshold Value (ETV) table for the considered payment method. A priori fraud risk modeling, permanent fraud monitoring and quarterly reporting by the PSP are mandatory. In any case, the PSP should ensure that the risk of the transaction is effectively low before bypassing Strong Customer Authentication, with measures such verifying that the payer spending, behavioral pattern and location are normal, and the payee location is not identified as high risk.
Strong Customer Authentication is applicable both to consumers and corporate payments.
What are the key dates?
PSD2 enters into force
The final draft of RTS Strong Customer Authentication is published
Deadline to transpose PSD2 in Member States
18 months after its publication, the Strong Customer Authentication RTS becomes mandatory
PSD2 Strong Customer Authentication Compliance by Morpho
Mobile-centric, secure and convenient
Morpho provides several solutions compliant with PSD2 Strong Customer Authentication requirements, that provide multifactor authentication, capitalizing on Morpho's recognized experience on biometrics, ensure dynamically linking though authentication codes or digital signatures and additionally provide personal security credential protection by design.
CloudCard+ for authentication
CloudCard+ from Morpho is a new generation solution for Strong Customer Authentication.
With CloudCard+, the mobile banking application provides seamlessly PSD2 compliance, performing when required Strong Customer Authentication with the use of at least two of independent factors:
- Possession factor: the mobile device itself
- Knowledge factor: the mobile banking PIN code
- Inherence factor: the user's face or fingerprint
CloudCard+ is currently being certified CSPN by ANSSI, the French National Cybersecurity Agency.
AIRPASS Mobile CVV for mobile payment
AIRPASS Mobile CVV is a mobile solution generating dynamic single-use payment tokens to secure online card payment and increase customer convenience and confidence.
The user enters his PIN or takes a selfie (facial recognition) to authenticate and display a one-time usage PAN and CVV on his mobile, that can be used on any merchant site, and even replace 3D Secure without impact for the merchant.
AIRPASS has been the first solution on the market to be certified by Visa and Mastercard, both in terms of functionality and security. This high level of security is in particular ensured by our unique White Box Cryptographic component that enables algorithm diversification per device and ensures crypto tokens secure storage on the mobile
Morpho DTP and Morpho CloudCard+ for digital signature
Electronic signature is recognized by the RTS as a way to provide Strong Customer Authentication. Morpho proposes several advanced electronic signature and qualified electronic signature solutions, that not only address PSD2 Strong Customer Authentication requirements, but also provide non-repudiation, which is may be a requirement for high value transactions.
Morpho has a long experience in securing cash-management B2B transactions on multiple channels (SWIFTNet/FileAct, EBICS…), relying on its widely deployed electronic signature solutions:
- Morpho DTP, certified CSPN by ANSSI, using CloudCard+ as a two factor authentication solution, or a legacy USB token or smartcard as strong authentication factor
- Morpho CloudCard+ also natively provides advanced and qualified electronic signature capability for users with digital certificates, without the need for legacy USB cryptographic tokens or smartcards.