The revised EU Payment Services Directive (PSD2) introduces a number of new requirements that have massive impact on the finance industry. Aside the open APIs that need to be provided (and secured), the defined requirements for strong authentication of payments are the most challenging new regulatory requirement.
PSD2 mandates the use of multi-factor authentication (MFA), concretely two-factor authentication based on different devices (2FA), for all payments above 10 €. It does not allow relying on one-factor authentication in combination with risk-based analytics solely. This has raised massive critics towards the EBA. However, instead of criticizing, what organizations need to do is to find the solution that works for them in both meeting the regulatory requirements and really mitigating risks.
Notably (and fortunately), PSD II does not prohibit the use of risk-based authentication – it just must rely on at least two factors. Furthermore, PSD II does not go into detail regarding the strength of the two factors, giving providers a broad variety of options for implementing the authentication approach. Thus, neither banks nor credit card companies nor other payment providers must fear for their business. They can meet the PSD II requirements and reduce their fraud risk.
This session will look in detail at the requirements for strong authentication introduced by PSD2, their impact on various groups of payment providers, and propose concrete approaches for these to meet these requirements.
