The Revised Payment Services Directive (PSD2) is poised to revolutionize the payment services industry. Its underlying principles mean that industry participants will have to innovate in terms of product structuring, service delivery, user experience and optimize in terms of costs to retain market share.
The PSD2 Directive is supported by other initiatives which promote innovation in customer experience with their own revolutionary leaps in transactional security: The eIDAS Regulation provides pan-European, cross-border mechanisms for customer authentication and ensuring trust while technical standards define just what it means to have Strong Customer Authentication (SCA).
Together, these directives all work towards the singular goal of making the payments industry in Europe safer, faster, cheaper and more convenient. The underlying foundations of all these initiatives are based on the following principles:
- When it comes to payment transactions, the key elements of Strong Customer Authentication must be achieved. This can be done in multiple ways and requires a combination of something that a user knows, is and has access to.
- Technological neutrality is at the core of what the eIDAS Regulation and the Regulatory Technical Standards stand for. This means the regulation does not prescribe a specific technical implementation. Neutrality can be achieved through various means to ensure cryptographically secured authentication and this is where tools like Hardware Security modules (HSMs) can really boost security and efficiency. Utimaco’s CryptoServer CP5 HSM is the first such module in the market to receive the Common Criteria (CC) EAL4+ certification based on eIDAS Protection Profile EN 419 221-5. EN 419 221 specifies a “Protection Profile for cryptographic modules which is intended to be suitable for use by trust service providers supporting electronic signature and electronic sealing operations, certificate issuance and revocation, timestamp operations, and authentication services, as identified by” the eIDAS Regulation.
- It is not just enough to secure the transactions themselves and prevent unauthorized ones, but it’s also important to secure sensitive data (like account information, balances etc.) from being leaked.
- Customer experience and convenience must be placed at the forefront without compromising security. While adding more security can sometimes make transaction initiation cumbersome, these directives are inherently designed to overcome some of the related burden. For example, the accessibility of various bank accounts from one single platform – made available by Account Information or Payment Initiation Service Providers (AISPs or PISPs) under PSD2 – can make managing your finances much easier. So rather than having to remember four distinct passwords for four bank accounts, you just need one password and e.g. a One-Time Password delivered to your phone to access all four accounts through a single portal or app. That is just a very obvious example of the limitless possibilities that PSD2 offers.
- Monitoring, risk analysis, and regular audits are also key elements of reliable security. Today’s systems can monitor thousands of concurrent transactions in milliseconds and detect suspicious activities. HSMs can provide a much-needed boost in efficiency.
- There are also provisions for exceptions such as low value transactions, recurring payments, B2B transactions where corporate clients want to use bespoke authentication mechanisms and so on. These might seem trivial, but such exception make sense following the 80-20 Pareto principle for low volume or recurring (subscription) payments.
A deeper analysis of all the recent European Directives for the payments industry reveals that there is a great symphony at play here. Companies like Utimaco have recognized this: With eIDAS, the European Commission is looking to stimulate the digital market in Europe. Being the first HSM vendor certified according to Protection Profile EN 419 221-5, Utimaco helps pave the way for compliant and highly secure trust services today and in the future. These ambitions are also reflected in an increasing number of current and upcoming partner projects.”
The sum total of all of these taken together – EU initiatives and business participation – paves the way for a true Digital Single Market across national borders in Europe, with innovative products and services, improved customer experience and nonetheless appropriate and security measures.
References and further reading
- REGULATION (EU) No 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and repealing Directive 1999/93/EC (28.8.2014), by the European Parliament and the Council
- COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 with regard to Regulatory Technical Standards for Strong Customer Authentication and Common and Secure Open Standards of Communication (27.11.2017), by the European Parliament and the Council
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.