PSD2 and Strong Customer Authentication

On 14 September 2019, the implementation of EU PSD2 (Payment Services Directive 2) came into force with new requirements for online payments, including:

  • Increased consumer protection with strong customer authentication

  • Creating safe infrastructure to allow third-party payment processors (TPP) to access payment accounts

Strong customer authentication (SCA)

With the PSD2 requirements, the authentication and the security measures around the payment accounts are tightened. SCA means that not only the user is identified as a client, but also that the substantive correctness of client’s declaration of intent is checked, and the authorization is strictly coupled to payment instructions using the data in the instruction that customer would like to execute.  With strong customer authentication payment account holders are identified with at least two factors, which are:
  • Something only customer knows, such as username and password,
  • Something that only customer owns, such as digipass.
DHB Bank payment account customers already use two-factor authentication, however in line with the PSD2 directive with regard to strong customer authentication the bank further enhanced the measures around the usage of the digipass to comply with the directive. DHB Bank’s customers may continue using Netbanking as usual without any change on their side. 

Third-party Payment Processors (TPP) 

PSD2 regulates access to payment account data by third parties, which requires authorization by the related customer beforehand. The banks need to provide these third-party payment processors (TPP) with technical interface for them to access the required data. The third party payment processors are subject to the supervision and control of the national supervisory authorities in the EU member states. 

How does this access of a third party payment service provider (TPP) work?

First of all, a bank must have an infrastructure for TPPs. Second, TPPs must be introduced to the bank’s PSD2 infrastructure, after that the customers can access to their account information through the infrastructure of the TPP. A customer’s consent is a prerequisite for a TPP to execute tasks on their behalf. Each task requires a separate consent of the customer. These tasks are as follows:
  • TPPs can see the account information of the customer, including:
    • Name of the account holder
    • IBAN of the account
    • Balance of the account
    • Transaction history of the account
  • TPPs can see whether a balance is available on a specific account 
  • TPPs can initiate a payment on behalf of a customer