1. Mandatory use of robust authentication, two-factor authentication (2FA), or multi-factor client
This security requirement is detailed in paragraph 30 of article 4 of Title 1 of the PSD2. This is how the document reads:
“Authentication based on the use of two or more elements categorized as knowledge (something that only the user knows), possession (something that only the user owns) and inherent (something that the user is) that are independent, since the breach one does not compromise the reliability of the others and is designed in such a way that the confidentiality of the authentication data is protected ”.
This security system introduces a double factor of security in any operation of remote payment transactions, online or electronic.
Usually, it allows customers to authenticate themselves as such by confirming a financial transaction through a code that can be sent, for example, by SMS to the number and devices associated with the account holder.
2. Establish standardized internal security frameworks
Providers starting to perform banking services for account holders must introduce internal security frameworks to preserve the privacy of their customers and also the security around their personal data and operations.
This security requirement is detailed in article 85 of PSD2, where it is established how “payment service providers will establish a framework with mitigation measures and adequate control mechanisms to manage operational risks, including security risks, related with the payment services they provide. As part of that framework, payment service providers will establish and maintain effective incident management procedures, including detection and classification of major security and operational incidents. ”
3. Report security incidents
Any breaches of the privacy or security of the clients must be notified to the holders, but also reported to the European regulators. This requirement is established in article 86 bis of PSD2:
“In the event of an incident of operational importance, including security, payment service providers shall notify the competent authority under this Directive without undue delay in the home Member State of the payment service provider. When the incident has or may affect the financial interests of its payment service users, the payment service provider shall promptly inform its users of the incident’s payment service and of all available measures they can take to mitigate the effects. adverse of the incident ”.
4. Evaluation and reporting of security frameworks
Systems that ensure privacy and security should be evaluated and regular reviews should be reported to regulators.
All of these prerequisites work on the basis that we have several new players working with clients who previously only operated with traditional banks and who now withdraw, enter, move, sell and buy accounts through an application that has nothing to do with their financial institution or that consult their movements without entering their bank accounts
The PSD2 leaves in the hands of these third companies services of all kinds:
- Deposit, cash withdrawal or any operation with a payment account.
- Execution of payment operations: from payments with debit, credit or other system to transfers or direct debits.
- Payment operations when the funds are covered by an open line of credit for a user of payment services.
- Sending of money.
- Payment initiation services.
- Account information services.