The second European Payment Services Directive (PSD2) was published in 2015. Its main goals are to improve customer protection during payment transactions and to promote business innovation.
This provides great opportunities for merchants and fintechs to offer enhanced and convenient solutions for customers, but also has some strict security requirements that we will summarize here.
For banks, the biggest consequence of PSD2 is that they must open up their payment services to other businesses:
- Banks: act as ‘Account Servicing Payment Service Providers’ (ASPSPs) and host API endpoints
- Merchants and Fintechs: act as ‘Third Party Providers’ (TPPs) by supplying apps that call the above APIs
- Consumers: act as ‘Payment Service Users’ (PSUs) and use apps that access their bank accounts
When logging onto apps that make payment transactions, Strong Customer Authentication (SCA) must be used, in order to prevent an attacker from stealing the identity of a genuine user.
Data involving payments is usually very high worth, so the SCA requirement is usually met by authenticating with multiple factors (MFA), to provide a high Level of Assurance (LoA).
When making a payment, PSD2 requires the user to be informed of the amount and the recipient. This is usually managed by showing a consent screen to the user, then recording the agreement in a non repudiable and digitally verifiable manner:
Merchants have to be approved before they are allowed to onboard and call bank APIs. In Europe this is managed by a central authority, eIDAS, whose role is to vet companies and assign or revoke trust.
eIDAS issue companies with client certificates to be used as API credentials, and only these certificates will be trusted by bank APIs. This provides strong B2B security via a Mutual TLS channel, so that the overall authentication solution looks like this:
A key PSD2 requirement is that once approval from eIDAS is granted and the technical implementation is completed, business can get connected immediately. This requires a secure automated enrolment process, without manual human actions.
The PSD2 directive opens up great possibilities for both banks and software producing companies, and this behavior will expand to a global scale over time.
Solutions require financial grade security however, and the Open Banking article provides further details on how to get started on a solution.