Online payments: stronger customer authentication by the PSD2

Back To Blog

From the 14th of September 2019, the second European Payment Services Directive (PSD2) implements new security requirements for authenticating online payments.

The second European Payment Services Directive (PSD2) aims to better protect the European consumers against fraud and payment incidents, and to modernise the electronic means of payment. The PSD2 partially entered into force in January 2018, but the requirements regarding the online payments authentication come into effect this month.

The current authentication systems: 3D Secure and its limits

Currently, the most common authentication system for online payments is called 3D Secure. Its principle is quite simple: when paying a purchase online, the credit card owner receives a sms from his bank containing a unique code. He must enter this code on the device used for the purchase in order to complete the payment.

Implemented in 2008, the 3D Secure has faced several security issues and doesn’t guarantee anymore the consumers security. This system is based on the hipothesis that the first person who will read the sms will necessarily be the credit card owner, but this has been bypassed in many cases of fraud. The following cases are only some examples of the risks linked to 3D Secure:

  • a malicious person (coworker, relative…) has access to your credit card and your mobile phone during few seconds, and can read and delete the sms sent by your bank;
  • a spyware has been installed on your smarphone and the hacker gets access to your device content;
  • your phone number has been hijacked through a call transfer

The DSP2 requires a strong customer authentication to stengthen the consumers security

The European Directive PSD2 now requires the banks and e-merchants to reinforce their authentication systems for online payments higher than 30 euros, but also for the online access to the bank accounts. The users identity must be controlled by at least two of the following three factors:

  • a knowledge factor: the payer provides a data that only the credit card owner should normally know: a code or password, personal data, etc.
  • a possession factor: the payer must possesses a thing owned by the credit card owner. It may be for instance a mobile phone or a token device.
  • an inherence factor: anything that is closely linked to the card owner, such as his fingerprint, his voice or facial recognition.

The 3D Secure system currently uses only one of these three factors, which is the possession factor (possession of the mobile phone). This system is therefore not compliant with the requirements of the PSD2.

The banking institutions will probably comply with the PSD2 by using both knowledge and possession factors. It is the case when the payer must enter a code in the bank mobile app to complete a payment: he must be in possession of the smartphone with the right app, and he must have the knowledge of the personal code required. In France, these requirements are already operational in several banks: BNP Paribas and its “Clé Digitale”, Société Générale and its “Pass Sécurité”, or Crédit Mutuel with its “Confirmation Mobile”. However, these systems are not yet compulsory for the customers, but it should be the case quite soon.

The use of the inherence factor should appear later, due to its higher technical complexity and the ethics issues that it may raise.

No sanctions until 2022

In force since the 14th of September 2019, these requirements will only become mandatory in 2022. In the meantime, there won’t be any sanctions for the banking institutions or the e-merchants who will not comply with the PSD2. Banks should be able to upgrade their authentication systems quite quickly. The challenge is bigger for online merchants, especially when we know that 25% of them don’t offer the 3D Secure yet, while this system exists for more than ten years… We may also wonder how the websites located outside the European Union will comply with the PSD2.