The introduction of the revised Payment Service Directive (PSD2) that came into application on January 13, 2018, brings a shift in financial transactions. If in the past SMS codes were the preferred way to confirm an online payment, organisations such as Payment Initiation Service Providers (PISPs) and Account Services Payment Service Providers (ASPSPs) now have deadlines to meet PSD2 requirements:
- March 14, 2019: ASPSPs’ access interface must be ready for external testing by PISPs as required by the Regulatory Technical Standards (RTS).
- September 14, 2019: PISPs need to comply with RTS and PSD2 requirement and propose Strong Customer Authentication (SCA) to their customers.
As the clock is ticking by, let’s understand the hows and whys of this regulation.
PSD2 SCA: What and why?
Payment services are evolving, creating new opportunities and new ways to transact beyond borders. As a consequence, the EU has decided to harmonize the different country-specific practices in order to:
- Contribute to a more integrated and efficient European payments market,
- Improve the level playing field for payment service providers (including new players),
- Make payments safer and more secure by reducing fraudulent activities,
- Protect confidentiality of consumers.
This is the PSD2. When it comes to security, text messages have shown their limits to make online transactions safer. Latest breaches such as Voxox leak exposing millions of SMS messages prove that systems can be easily corrupted when it comes to proving identities. This is why PSD2 has issued new requirements with the aim of creating a secured environment to online buyers.
Welcome to the Strong Customer Authentication (SCA)
A compliant SCA is based on 2 or more authentication factors of different types among the following options:
- Something you know, such as a password.
- Something you have, such as a mobile device, a plastic card.
- Something you are, such as a thumbprint.
As everyone initiating an online transaction will soon have to use SCA, it is important to stress that SCA solutions must provide a high level of security but also an easy customer experience. This is actually a more difficult challenge.
Providing physical tokens to everyone is hardly an option because of the costs to issue and manage such devices at a large scale. Also, customers with multiple banks would need several tokens, resulting in an authentication fatigue that is counter-productive to the objectives of PSD2.
Only software-based solutions provide the flexibility required by banks and third parties and ensure a smooth deployment while keeping costs low. inWebo MFA perfectly matches these requirements since it provides a secured method to validate buyers’ identities without impacting the experience. inWebo is easy to implement, to deploy and to manage. The different authentication methods available from inWebo make it possible for users to have a seamless experience for any payment use case. inWebo Transaction Sealing feature makes the transactions non-disputable. The alignment of its solutions with PSD2 SCA requirements has enabled inWebo to already support leading banks to secure transactions and account access.
PSD2 is just the start. inWebo expects that most of the banks will switch to the 3DS 2.0 worldwide regulation coming into force in 2020. inWebo is already supporting financial institutions and banks in deploying its solution to swap prior authentication methods with SCA compliant ones.
If you’d like to know more about inWebo MFA for financial institutions, you can download our tailored white-paper or request a demo by clicking the relevant option below: