PSD2 Compliance: strong customer authentication without friction
What is the PSD2 regulation?
The objective of the 2nd European Payment Services Directive (PSD2) is to strengthen the security of payments. Adopted in November 2015, it came into force throughout the European Union in January 2018 (although some provisions remain to be implemented), and raises the level of security requirements accompanying the validation of financial transactions and regulates access to bank data.
In the area of security features, the most sensitive element of PSD2 is the widespread use of multi-factor authentication (MFA) for certain transactions, including online payments.
Payment security is achieved through strong authentication with the PSD2
What is strong authentication, also known as MFA (Multifactor Authentication)?
Authentication is said to be strong when a user must, in order to log in or validate his operation, provide two elements from different categories among the three possible ones. The 3 categories of identification factors are:
- something I know: the most common example is the password for applications or the PIN code for payment cards.
- something I own: a phone, a computer, a flash drive, a connected device. There are many possibilities. The Possession factor is usually referred to as a token.
- something that I am: it's essentially biometrics - fingerprint, retinal, voice, facial recognition.
PSD2 Compliance : operations requiring strong customer authentication (SCA)
The European directive imposes the strong SCA on 3 types of operations.
access and management of the payment account
online transaction with a significant risk of fraud
The PSD2 provides for some exceptions to these rules, listing transactions that are considered low risk. These exceptions include payments up to €50 in contactless mode or €30 online, or transfers to a beneficiary previously validated by strong authentication.
No, SMS validation is not strong authentication
The main consequence of PSD2 is that the usual process of the payment security system (3D Secure), which validates operations by sending a one-time password (OTP) via SMS to be re-entered by the user, no longer complies. It is indeed based on a single factor, the possession of a mobile phone, and can very easily be circumvented by a cyber attack like SMShing.
The directive thus changes the customer journey in e-commerce at its most crucial point: payment validation. Hence the fears of online merchants who are worried about an increase in shopping cart abandonment due to what they perceive as a more complex customer journey. This concern is easily understandable if we consider only the most widespread multi-factor authentication solutions. Generally not very secure, they are also complicated to use, often requiring the re-entry of a single-use password obtained by more or less practical means.
However, this is by no means inevitable, as illustrated by inWebo MFA , whose implementation not only enables compliance with PSD2 but also reduces friction in the payment process, including in comparison with the experience currently offered by 3D Secure.
Compliance PSD2 : inWebo MFA, the multi-factor authentication solution that ticks all the boxes
Complying with the entire PSD2 regulation is a complex project, requiring many skills. The good news is that inWebo's MFA solution not only ticks all the boxes necessary to secure transactions but also offers exclusive advantages to facilitate the implementation and improve the user experience.
With inWebo MFA SaaS Multifactor Authentication
access to accounts is protected
sensitive operations and status changes are sealed by a dynamic link
strong client authentication (SCA) is ensured
How to be PSD2 compliant by offering a frictionless customer journey
However, the main obstacle to PSD2 compliance today is not technical but, as we have seen, linked to fears about changes in the payment journey.
This is where one of the main differentiators of the inWebo solution comes in: strong authentication without a smartphone, via a simple browser. The Deviceless (or Smartphoneless) token allows the customer to authenticate in compliance with PSD2 without any other trusted device than his browser, via a simple reusable PIN code. This is achieved while ensuring the highest level of access security of any MFA solution through the use of proprietary dynamic random key technology. To learn more about this technological achievement, see our article Deviceless MFA.
The implementation of the inWebo MFA solution not only does not degrade the connection experience, but it even makes it simpler by removing the need to have a smartphone, to have mobile network connection to receive the SMS and to re-enter a unique code, a major source of mistakes and payment abandonment.
The route is therefore simplified. But it is also unified. With hundreds of available integrations, via connectors, its API mode or its SDK, the inWebo MFA solution can be deployed on all application accesses, not only on bank account accesses. Thus, the user, who wants to connect to his email, validate a transaction, or access his company's VPN, will benefit from a unified interface, a uniform login experience and even a unique PIN code (or any other knowledge factor) without any security degradation.
Do not fear PSD2 compliance
Online retailers, payment service providers, banks, you need not be afraid of losing your customers by complying with PSD2. With inWebo, you can combine strong customer authentication with a frictionless customer journey. And as an added bonus, you'll get a Full SaaS MFA solution that can be deployed in a few clicks on thousands of users, without any equipment constraints.
Check out the replay of our webinar
PSD2 and strong client authentication SCA: combine security and a simplified user experience
What is the Payment Services Directive 2 (PSD2)?
What is strong customer authentication (SCA)?
How does PSD2 change the payments markets?
Get in touch for a demo or to request a free trial
Our latest news
The terms "authentication" and "authorization" are fundamental concepts in IAM and CIAM. They form the framework of cybersecurity. Their proximity in meaning and pronunciation...
With the rapid evolution of technology, there is a massive migration of industries and large organizations to the cloud. Almost all resources, data and other entities...
Have you ever heard of MFA prompt bombing? It's the topic of the moment in the cybersecurity field. This technique was recently used against Uber by the famous group of...