Many things have been said on the Directive (EU) 2015/2366 on payment services in the internal market, also known as PSD2 Directive.
PSD2 aims to regulate the rapid growth of the European e-payment market and to harmonize the still fragmented European legislative framework, which is the result of the different rules issued by every Member State in the transposition of the old Directive (Directive 2007/64/EC), that leads to potential risks for the security of payments and for the protection of the consumers.
The central role in the new Directive of the eIDAS-regulated trust services has not been stressed enough, even if it is closely related to the goal of PSD2, which is “to strengthen consumer confidence in online digital payments”.
Strong customer authentication
Let’s take as an example, one of the cornerstones of the Directive: the trustworthy e-ID of the actors involved in a e-payment transaction.
A specific technical regulation defined by the European Banking Authority (EBA) introduced the obligation of the “Strong Customer Authentication” (SCA) of the payer, which must be identified in a trustworthy way. For this requirement, every payment service provider (PISPs and AISPs) must access the payment accounts or execute payment orders only after a two-factor strong authentication of the customer. This measure was welcome with little enthusiasm by the payment service providers who see it as a threat for the UX of the payer, typically used with more agile systems as the “one click pay” offered, for example, by Amazon.
Secure transaction service
However, there are trusted solutions that guarantee the full application of what is required by the Directive, without undermining the habits acquired by the payers. InfoCert has patented STS – Secure Transaction Service, a software component that can be integrated into mobile payment apps and which is designed to increase the security level of valued transactions generated and validated in a mobile ecosystem. All this to ensure the compliance with SCA requirements and the best UX for the payer thanks to a “silent OTP”.
STS also performs multiple controls, linking the payer’s identity to the amount of the payment transaction and ensuring the so-called “dynamic linking” (another requirement of the PSD2).
Clear and unique identification of PISPs and AISPs
Moreover, another requirement of Directive is the clear and unique identification of PISPs and AISPs when they access the user’s payment accounts. The solution described by the technical regulation issued by the European Banking Authority is to use qualified certificates so that any attempt to access the user’s payment accounts can be fully traced. This requirement leads to another change in the landscape of e-payments: practices such as “screen scraping”, which is the access to home banking by using software that pretends to be the user, which is very common for some players, is no longer possible. In this case, the Directive refers directly to the eIDAS-regulated trust services that InfoCert provides: qualified electronic seals and qualified certificates for website authentication.
To conclude, PSD2 has created an extremely challenging e-payment environment, which certainly requires a great adaptation effort for the payment service providers, but also offers many opportunities.
Knowing how to choose the most appropriate solutions and rely on the right partner is crucial in gathering the opportunities of the market.
Consultant – Process & Compliance
at InfoCert – Tecnoinvestimenti Group