Everything a Financial Institution needs to know and apply

What is PSD2?

Two points are key to this new PSD2 regulation: bring new forms of payment to life and make them more secure.

  1. In terms of protection, and with the idea of ​​increasing consumer confidence in electronic payments, it establishes new authentication / identification minimums for the user, for which the SCA (or double authentication) is of great value. This forces to apply 2 or 3 factors to choose between: one thing that the user knows (for example, the password), one that they have (for example, the mobile) and another that is (for example, the fingerprint or the face ). It will no longer be worth with the first as before.
  2. Regarding payment, the current process is relatively complex. Merchants must go to intermediaries, such as electronic payment providers, who are in charge of contacting the card company (Visa or Mastercard, for example), so that they can charge the customer. With the entry of PSD2, new participants (TTPs) come into play, which adapt to all the different preferences of the clients while remaining equally safe for them.

Services we offer

To comply with the requirements set forth in PSD2, banks, account service providers and payment service providers have a series of technical instruments.

From NeoCheck we offer both access services to the required functionality through our APIs and business consulting through our alliance with Agile Control Solutions.

1. Mandatory use of robust authentication, two-factor authentication (2FA), or multi-factor client

This security requirement is detailed in paragraph 30 of article 4 of Title 1 of the PSD2. This is how the document reads:

“Authentication based on the use of two or more elements categorized as knowledge (something that only the user knows), possession (something that only the user owns) and inherent (something that the user is) that are independent, since the breach one does not compromise the reliability of the others and is designed in such a way that the confidentiality of the authentication data is protected ”.

This security system introduces a double factor of security in any operation of remote payment transactions, online or electronic.

Usually, it allows customers to authenticate themselves as such by confirming a financial transaction through a code that can be sent, for example, by SMS to the number and devices associated with the account holder.

2. Establish standardized internal security frameworks

Providers starting to perform banking services for account holders must introduce internal security frameworks to preserve the privacy of their customers and also the security around their personal data and operations.

This security requirement is detailed in article 85 of PSD2, where it is established how “payment service providers will establish a framework with mitigation measures and adequate control mechanisms to manage operational risks, including security risks, related with the payment services they provide. As part of that framework, payment service providers will establish and maintain effective incident management procedures, including detection and classification of major security and operational incidents. ”

3. Report security incidents

Any breaches of the privacy or security of the clients must be notified to the holders, but also reported to the European regulators. This requirement is established in article 86 bis of PSD2:

“In the event of an incident of operational importance, including security, payment service providers shall notify the competent authority under this Directive without undue delay in the home Member State of the payment service provider. When the incident has or may affect the financial interests of its payment service users, the payment service provider shall promptly inform its users of the incident’s payment service and of all available measures they can take to mitigate the effects. adverse of the incident ”.

4. Evaluation and reporting of security frameworks

Systems that ensure privacy and security should be evaluated and regular reviews should be reported to regulators.

All of these prerequisites work on the basis that we have several new players working with clients who previously only operated with traditional banks and who now withdraw, enter, move, sell and buy accounts through an application that has nothing to do with their financial institution or that consult their movements without entering their bank accounts

The PSD2 leaves in the hands of these third companies services of all kinds:

  • Deposit, cash withdrawal or any operation with a payment account.
  • Execution of payment operations: from payments with debit, credit or other system to transfers or direct debits.
  • Payment operations when the funds are covered by an open line of credit for a user of payment services.
  • Sending of money.
  • Payment initiation services.
  • Account information services.

The use of electronic payments and online banking has grown rapidly in Europe. In the 2019 ‘Consumer Trends’ report, the European Banking Authority found that the total number of digital media payments in the European Union (EU) increased 7.3% in 2017, reaching 134 billion operations.

This growth explains why European authorities, concerned about possible fraud risks for customers, approved an extensive reform on payment security as part of the Second Payment Services Directive (PSD2).

Starting September 14, 2019, European banks and other payment service provider companies must implement enhanced customer authentication (or strong customer authentication) across a wide range of payment systems and other operations, such as logins in mobile applications and websites.

What is strong client authentication?

Authentication processes are used to verify that a client is who they say they are. Strong authentication requires the payment service to use at least two different pieces of information, known as authentication factors. These factors are divided into three groups:

  • Knowledge: something the customer knows, such as a password or PIN.
  • Possession: something the customer owns, such as a debit card or a mobile phone.
  • Inherence: something inherent to the customer, such as his fingerprint.

Many of these factors are already common: payment cards and the PIN are used to make physical payments, a code received by SMS to make an online purchase, or the fingerprint to unlock the mobile and access the bank’s ‘app’ .

But with the new rules, some factors will need to be updated or replaced. Furthermore, along with the increasing use of banking apps and mobile phones, new forms of authentication are likely to appear in the future.

The Account Information Service (AIS) consists of collecting and storing the information of a client’s different bank accounts in one place, allowing clients to have an overview of their financial situation and easily analyze their expenses and financial needs .

Our API allows, in a very simple way, both to verify if an account belongs to a person and to obtain the movements of the last 12 months.

In the payment initiation service (PIS), third-party providers facilitate the use of ‘online’ banking to make payments over the internet. These services help initiate a payment from the consumer’s account to the merchant’s account by creating a “bridge” interface between both accounts, filling in the necessary information for the transfer (transaction amount, account number, message) and informing the merchant of the start of the transaction. Likewise, PSD2 also enables the customer to make payments to third parties from the application of a bank using any of their accounts (whether or not they belong to that entity).

From NeoCheck we facilitate both the integration of the gateways and the identity validation processes of the payer.

To know more

If you want to know a little better about our processes and the solutions that we propose, you can continue reading about:

Find out what can we do for you

In NeoCheck® we strive to satisfy all the needs of our customers in terms of Document Verification and Biometric Identification. From web-based solutions, mobile applications to specialized components (we have our own research and development team). And of course, we try to deploy the most advanced and flexible technology at affordable prices, as well as providing them with the best support. Therefore, we regularly organize online courses and workshops related to the world we know best: Document and ID Verification.