Complying with the revised Payment Services Directive (PSD2) is currently a key priority for financial institutions (FIs) in Europe and beyond. In particular, financial institutions need to comply with the requirements related to Strong Customer Authentication and Transaction Risk Analysis. These requirements are outlined in the Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) and Common and Secure Communication (CSC). Financial institutions need to adhere to them by September 14, 2019 at the latest. Some of the key requirements will go into effect six months earlier.
In this blog, we provide an overview of the key authentication requirements in the RTS and how to properly comply with them.
PSD2: Strong Customer Authentication & Transaction Risk Analysis
The most important authentication requirements in the RTS under PSD2 are:
- Two-factor authentication: FIs acting as payment service provider must authenticate users based on an authentication mechanism that uses two of three possible authentication elements:
- Possession (i.e., something only the user has)
- Knowledge (i.e., something only the users knows)
- Inherence (i.e., something only the user is)
- Further, the authentication elements must be independent of each other. The authentication mechanism must generate an authentication code that is only valid once (and in practice, for a limited amount of time).
- Dynamic linking: Dynamic linking is also commonly referred to as transaction data signing or transaction authentication. The legislators who drafted PSD2 introduced the dynamic linking requirement to counter Man-in-the-Middle attacks, where a bad actor alters the details of a transaction after the payer has authenticated it. The dynamic linking requirement has three parts. First, it requires a payer to authenticate a financial transaction by calculating an authentication code over certain transaction data (at least the amount and some information identifying the beneficiary), so that the authentication code is linked to the transaction. Second, the confidentiality and integrity of the transaction data should be protected (i.e. encrypted) throughout the authentication process. Third, the online banking user should be aware of the transaction data they authenticate.
- Independence of authentication elements: This requirement is primarily focused on mobile app security. The Strong Customer Authentication requirements allow for the use of mobile apps as a user-friendly possession factor. When the authentication mechanism relies on devices such as mobile phones or tablets, FIs must adopt security measures to mitigate the risk of the mobile app running in an untrustworthy execution environment (i.e. device and operating system), where it may be subject to overlay attacks, code injection, and other threats.
- Transaction risk analysis: Banks must perform transaction risk analysis to prevent, detect, and block fraudulent payments. Transaction risk analysis should be based on elements such as the amount of the payment, known fraud scenarios, signs of malware infection in the payment session, etc. The regulation foresees that low-risk payments can be exempted from strong customer authentication. However, this entails that transaction risk analysis include additional elements such as payment patterns, behavioral analysis, location of payer and payee, information about the device used to conduct the payment, and even the ability to collect data from multiple channels such as mobile, online, ATM, and branch.
From Standalone Authentication to Adaptive Authentication
When evaluating and implementing solutions for compliance with Strong Customer Authentication requirements, FIs should consider adaptive methods and tools. Adaptive authentication is not an authentication factor, like a new one-time token or authentication application. It is a workflow that continuously analyzes a user’s activities, environment, and behaviors to determine the precise level of security, at the right time for each unique transaction.
Adaptive authentication distinguishes itself from standalone authentication tools by employing specialized authentication methods based on real-time risk analysis. Instead of forcing a user-initiated event, such as entering a PIN or password, a user may have to pass through a series of authentication checks to gain access to particular services for riskier interactions – or no additional checks at all for low-risk transactions (e.g., checking your account balance).
This is also known as step-up authentication. With the risk score as a guide, the authentication steps are dynamically applied to the transaction in real-time, and the user may have to take action. For example, if the transaction is within the user’s normal pattern of behavior, no step-up authentication is needed. However, a certain risk score may prompt a request for a one-time password (OTP), while a higher risk score may prompt the user for both an OTP and fingerprint scan (e.g., for a transfer of $10,000 dollars to a foreign bank account).
By leveraging risk analytics driven by machine learning and artificial intelligence – and combined with the authentication orchestration we just described – an adaptive authentication solution falls into a solution category known as Intelligent Adaptive Authentication. With this type of solution, financial institutions can simplify the end user experience, reduce fraud, and achieve regulatory compliance. This applies across multiple digital banking channels, including web, mobile, etc.
Adaptive Authentication and Strong Customer Authentication
FIs face significant challenges stopping fraud even with the most advanced security technologies. Complexity, inconsistent user experiences, hard-to-meet compliance requirements, multiple languages and interfaces hide security vulnerabilities and keep business managers up at night. The challenge is how to simplify authentication workflows to increase security, strengthen compliance, and create the best possible user experience across multiple channels.
Intelligent Adaptive Authentication helps financial institutions achieve these goals, while also complying with PSD2’s Strong Customer Authentication requirements. Here’s how:
- Risk-based authentication: Intelligent Adaptive Authentication enables FIs to support a broad portfolio of authentication elements. These can be possession elements (i.e. mobile apps, hardware tokens, etc.), biometric factors (i.e. fingerprint, facial), and knowledge elements (i.e. PIN). In addition, an Intelligent Adaptive Authentication solution should also support strong authentication standards such as FIDO.
- Dynamic linking: Though many adaptive authentication solutions operate under the same principles, there is wide diversity in the market with regard to integration of key security technologies. For Intelligent Adaptive Authentication solutions that support dynamic linking, the key is ensuring it is both compliant and convenient for end users. One of the most widely accepted ways to do this is with color cryptograms known as Cronto codes. When the bank sends transaction or payment data to the user to verify and authorize, that data is encrypted inside the Cronto cryptogram. The user decrypts the data by scanning the cryptogram with their smartphone (or hardware device). In the event Trojan malware is present on the user’s computer, it will not be able to alter the data inside the visual code. This approach allows FIs to fully comply with all three of PSD2’s dynamic linking requirements.
- Independence of authentication elements: Intelligent Adaptive Authentication provides FIs with deep visibility into mobile devices and the bank apps running on them. It leverages extensive user, device, and app data, which provides a very accurate measure of trust via a risk analytics score. Intelligent Adaptive Authentication integrates capabilities like mobile app shielding to create a secure execution environment for mobile banking apps, allowing them to run safely on untrusted mobile devices. This includes the use of separated secure execution environments, as well as measures to protect mobile apps against run-time threats such as rooting or jailbreaking, overlay attacks, code injection, and keylogging.
- Transaction risk analysis: Risk assessment of the user’s environment and financial transactions is at the heart of an Intelligent Adaptive Authentication solution. Intelligent Adaptive Authentication gathers contextual information from multiple sources (e.g. user’s mobile device, laptop), as well as behavioral analysis (i.e. who, what, when and where), and correlates this with the user’s history to detect emerging and known fraud patterns to assess the risk level of a transaction. The solution then applies the precise level of security for each unique financial transaction.
For more information about PSD2 and how to comply with the Strong Customer Authentication requirements, visit www.OneSpan.com/psd2.