PSD2 XS2A: What you need to know about the Discussion Paper of the EBA
Following the adoption of the revised Payments Services Directive (PSD2) by the Council on 16 November 2015, the European Banking Authority (EBA) has published its long anticipated Discussion Paper on ‘strong customer authentication  and secure communication’ on 8 December.
The Regulatory Technical Standards (RTS) on strong customer authentication and secure communication, on which the EBA has issued the Discussion Paper, are key to achieving the PSD2 objectives of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union.
In this blog INNOPAY’s PSD2 experts will discuss the rationale of the Discussion Paper on RTS, frame the security challenges that emerge from enabling third party access to payment accounts for Payment Initiation and Account Information Services (‘XS2A’) and conclude by defining the main challenges the EBA will encounter during its challenging task of developing the RTS. For this purpose the authors also draw on their experience as expert advisor and facilitator of the Open Transaction Alliance (OTA).
Why this Discussion Paper by the EBA?
The EBA is required to deliver the RTS on strong customer authentication and secure communication by January 2017. Prior to starting the actual development of the RTS, the EBA issued the Discussion Paper with the intend to obtaining early input from market actors into the development process.
EBA should, when developing this challenging RTS, ensure that it consults all relevant stakeholders, including those in the payment services market, reflecting all interests involved. If necessary for getting a proper balance of views, EBA should make a particular effort to obtain the views of relevant non-bank actors.
The content of the RTS on strong customer authentication and secure communication, which the EBA will be developing in close cooperation with the European Central Bank (ECB), will specify requirements for:
- Strong customer authentication;
- Exemptions from the application of these requirements (based on risk, transaction value and/or recurrence and payment channel);
- Requirements to protect the user’s security credentials;
- Requirements for common and secure open standards of communication; and
- Security measures between the various types of providers in the payments sector.
Strong customer authentication will apply to:
- Access to payment accounts online;
- Initiation of any electronic payment transaction, and;
- Any action through a remote channel that may imply a risk of payment fraud or other abuses, including online or mobile payments.
In essence, core to the RTS will be the development of adequate measures to address security challenges that emerge from enabling third party access to payment accounts for Payment Initiation and Account Information Services (‘XS2A’).
Framing the XS2A security challenge: what problem are we actually trying to solve?
Innopay has been engaged in various discussions on the matter of strong customer authentication. These discussions quite often address similar elements of security and authentication as addressed in the Discussion Paper of the EBA. This is depicted in figure 1 and frames and visualizes the security and authentication challenge that emerges from enabling third-party provider (TPP) access to accounts in case of Payment Initiation and Account Information Services (‘XS2A’).
The RTS on strong customer authentication and secure communication are supposed to address the relationships between actors involved in a transaction and related security components.
Different market actors (third parties, AS PSPs) will wish to employ different security technologies (static/dynamic, classical/emerging, risk-dependent, device fingerprinting, etc.). Merchants will freely choose those actors that best serve their needs. In any scenario authentication options will have to comply with the EBA’s RTS, but in the end it all comes down to what information the AS PSP will receive to base its approval upon.
EBA’s main challenges during the RTS development process
While strong customer authentication will be the rule for remote (e-commerce) transactions, the use of alternative authentication measures will be permitted only by exception. Considering the vested interests of various industry players and existing security practices for payment initiation and account information services, the EBA and ECB will have to make complex trade-offs between various, and even competing, demands.
The stringent PSD2 requirements for strong customer authentication will make authentication a key (strategic) focus for banks, payment initiation and account information service providers, but also for merchants and consumers in Europe. The aim of PSD2 is to reduce fraud in online transactions with strong customer authentication, or, alternatively, a risk-based approach to authentication as long as this is effective in managing fraud. Put differently, a fine balance should be found between security and fraud prevention on the one hand and the convenience of payment initiation and account information services on the other hand. The focus should be on providing customers innovative, safe, simple and consistent consumer experiences in the digital context by balancing these needs taking into account the specific use case (i.e. payment initiation or account information).
This introductory blog is a first of a series on PSD2 XS2A and the work of the EBA. In subsequent blogs INNOPAY’s PSD2 experts will address the following topics:
- EBA mandates under PSD2 and timelines: Relevant milestones resulting from PSD2;
- First analysis of EBA interpretation, point of view and approach based on the contents of and issues raised in the Discussion Paper;
- Describe commonly used authentication models and practices for online and mobile transactions and highlight key elements for consideration in the RTS development process of the EBA.
 Authentication procedure including at least two out of the following three factors: 1) Something only the user knows e.g. passcode or PIN; 2) Something only the user possesses e.g. mobile phone or token; or Something the user is e.g. fingerprint.
 Cross-industry group of payment practitioners from banks, payment service providers, account information providers, payments processors, merchant groups, and other relevant stakeholders in the European payments ecosystem. OTA seeks to define a set of principles covering various essential elements related to PSD2 Payment Initiation and Account Information (XS2A) ensuring its effective and secure implementation on a Pan-EU scale.