PSD2: Why Security Practices Now Matter to Payment Standards

September will see the introduction of a directive for payment standards and security, but how ready is the world for PSD2? Dan Raywood investigates.

Mid-September will see the final introduction of a directive for the regulation of payment services and payment service providers. The original Payment Services Directive (PSD) became legislation for all EU and EEA member states in 2007, and its successor (PSD2) was originally proposed in 2015. The new rules were intended to better protect consumers when they make payments, and promote the development and use of innovative online and mobile payments.  

According to a statement published in October 2015 by the European Commission: “This legislation is a step towards a digital single market; it will benefit consumers and businesses, and help the economy grow.” 

"The intention of the PSD2 is to harmonize payments across European markets”

The Current State of Compliance
The PSD2 was passed on November 2015, came into law in January 2018, and comes into full effect on September 14 2019. That date is the final deadline for all companies within the EU to comply with PSD2’s Regulatory Technical Standard (RTS). The RTS was created by the European Banking Authority (EBA) in order to enhance security protection levels and reduce the escalating amounts of financial fraud.

Mark McMurtrie, director at Payments Consultancy Ltd, explains that the intention of the PSD2 is to “harmonize payments across European markets” as well as level the playing field for FinTech companies to compete with banks.

The PSD2 is also about introducing the concept of open banking, allowing consumers to move around between banks, for UK-regulated banks to share financial data with authorized providers, and for established banks to share direct access to data on their customers.

The security element is the RTS, which McMurtrie explains was on a delayed timeline because of lobbying on accessing information via “screen scraping,” or whether data could be collected via APIs.

According to Alisdair Faulkner, chief identity officer for Business Services at LexisNexis Risk Solutions, screen scraping is used by third-party providers to access user account information from HTML forms, and is generally considered contrary to banks’ general terms and conditions.

“While screen scraping is prohibited under the directive, banks are required to grant third parties access to customer data via specific, dedicated interfaces,” he says. Screen scraping tools can copy available data to an external database and can be used outside of the financial institution.

Payment security consultant Neira Jones tells Infosecurity that the RTS banned screen scraping as it is not secure, but there are two better options for collecting data – either via a public API, which is deliberately open to enable competition so that it is not done via a single bank’s API, or through the modification of the modern banking interface. “The problem is we’re asking the banks to open up their infrastructure,” Jones says.

Are You Ready?
So why is this directive needed? McMurtrie says that the UK’s total card fraud cost is £566m, and £310m of that comes from e-commerce. This, he says, “is why the regulation has come in, to stop this growing and reduce the amount of e-commerce fraud.”

However, McMurtrie adds that there is doubt about whether European businesses will be ready for the September 14 deadline, and his belief is that businesses will not be ready. “The EBA has required that each member state appoint a single, competent authority, and in the UK it is the Financial Conduct Authority (FCA). National regulators are the ones who have the job of enforcing compliance on any regulated financial institutions.”

These regulated financial institutions include banks, card issuers and merchant acquirers, but not corporations like enterprises or merchants, “but enforcement will be requested by those who are regulated.”

In terms of not achieving compliance, McMurtrie says the overall ecosystem is not ready for the deadline and the reasons include: computing requirements, late availability of the specifications, late solution availability and the regulators changing their mind on the specifications.

McMurtrie continues: “In the UK, what is happening from a card payment perspective is that a roadmap to compliance is being negotiated with the regulator, and UK Finance represents all of the financial institutions and providers. They have created a phased roadmap with milestones and are in active negotiations with the FCA to ask for more time for compliance with the scheme.”

He points out that an additional 18 months was being requested, and that an official decision is expected in August. That “managed roadmap is under intense discussion” he says, and that an official decision will require an agreed plan with several milestones. “This would allow active enforcement to be delayed.”

In a statement published in June 2019, the FCA stated: “The legal deadline for complying with the RTS on Strong Customer Authentication remains September 14 2019. However, the FCA recognizes the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement Strong Customer Authentication (SCA) for card payments in e-commerce as soon as possible after this.”

For next steps, the FCA tells Infosecurity that it is “working with industry on creating a plan” that will determine a blueprint for compliance and readiness, a timetable for achieving this, and key milestones and targets to deliver improved security of customer authentication and fraud reduction along the way. The statement said that the FCA will not take enforcement action against firms if they do not meet the relevant requirements for strong authentication from September 14 2019 in areas covered by the agreed migration plan, where there is evidence that they have taken the necessary steps to comply.

“PSD2 is much broader in terms of who it applies to”

What Role Does Security Play?
What makes this particularly relevant for the cybersecurity industry is the introduction of strict security requirements for the initiation and processing of electronic payments.

In particular, articles 94-98 (in chapter four) of the directive cover the areas of security and data protection. Article 94 states that “payment service providers shall only access, process and retain personal data necessary for the provision of their payment services, with the explicit consent of the payment service user” – echoing the guidelines of the GDPR. 

Neira Jones explains that “PSD2 is much broader in terms of who it applies to” than PSD, as the PSD2 RTS contains directives on strong customer authentication and secure communication.

Jones adds: “Modification of the online banking interface means providing an interface for the third party upon authentication of the customer” and this means securely authenticating anyone who is accessing the data. 

McMurtrie says that strong customer authentication means more use of multi-factor authentication, typically using two factors: knowledge elements, possession elements and inherent elements. “Each person has to be authenticated by a means of authentication from at least two of these.”

He says that one of the issues here is that e-commerce typically does not involve physical presence, and this has led to a reliance on passwords. He predicts more of a move to the use of biometrics as one of the inherent elements.

As well as authentication, Jones says that it is about securing the connection interface between the user and the third party, or the user and the bank. This is where security plays a major part in PSD2, as Jones explains that “if your CISO is not involved in PSD2 endeavors, talk to them as that is their job, and there are various specifications in security in PSD2 as it is about basic requirements that are nothing new.” Jones admits that, since she has been working on PSD2, she is yet to find a CISO who has been involved in implementing the regulation.

One thing that GDPR has driven is better standards on incident response with its 72-hour data breach reporting rule. Likewise, the PSD2 RTS article 96 states that “in the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider” and provide the relevant details of the incident to the regulator.

However, Paul van der Lee, director, EMEA North at Ping Identity, argues that it is unfair to compare GDPR and PSD2, as “the aims of the regulations are different.”

He says: “PSD2 is aimed not just at protecting customer rights and allowing for proper handling of complaints, but is also about opening up opportunity for new service providers and enabling new products and services, whilst at the same time, increasing security.

“It took some time post-GDPR for companies to get fully up to speed on the required level of response to major incidents and we are only just seeing fines at the level that was originally threatened.”

“If your CISO is not involved in PSD2 endeavors, talk to them as that is their job"

Have You Heard the News?
Jones argues that there is a general lack of understanding about PSD2 within the security sector, saying it is only in the industry’s “vague consciousness.”

Part of the challenge is that some aspects of the RTS remain open to interpretation, points out van der Lee, and what some people believe to be compliance falls short in the eyes of other experts. “Ultimately, customer adoption will impact what organizations seek to do with regards to PSD2. The organizations that are best able to develop new offerings based on the disruption will get a competitive advantage, and the people (and technology companies) that can make that happen will become very valuable.”

What about fraud – will PSD2 go far enough to rule that out? Jones says she feels it has “got more than enough” to do so, while McMurtrie says that there has been low awareness levels regarding the payment fraud problem that PSD2 is trying to resolve. “This lack of consistency is a problem for understanding the directive, and likely even harder for those trying to comply with it,” he says.

Overall, the aim to reduce payment fraud should be welcomed, and while the time has been provided to achieve compliance, the feeling that the majority will not achieve it is a concern. A survey of over 2000 British adults by Equifax found that 66% rate “safe and secure payments” as the most important factor in the online checkout process, while 76% would be willing to accept a slower or less convenient checkout experience in return for greater payment security.

Perhaps this is evident of siloes across the business; if PSD2 is not seen as a priority for security but is still seen to be a responsibility of the fraud team, then a better converged business will deal with it more efficiently.

What’s Hot on Infosecurity Magazine?