Alán Alcoverro Jun 10, 2020 8 min read

PSD2: Where is it now?

PSD2 is the EU’s Second Payments Services Directive. The regulation focuses heavily on consumer protection, and aims to increase the safety of and scope for innovation amongst payments services.

This is obtained through three ways:

  • Enhancing customer rights
  • Enhancing security through Strong Customer Authentication (SCA)
  • Enabling third-party access to account information to promote new players in an open banking landscape

Whilst the majority of the regulation has already come into effect, full implementation of the second part of the directive – enhancing security through SCA – has been delayed until 31st December 2020.

In addition, the global pandemic has, unsurprisingly, not helped the already slow progress of PSD2’s full implementation.

Changes in consumer behavior has hit the payments industry hard, and the UK’s Financial Conduct Authority (FCA) has already delayed enforced implementation of SCA by six months to 14th September 2021, whilst members of the European Payment Institutions Federation (EPIF) have signed a letter to the European Banking Authority (EBA) asking for a similar extension.



What is SCA and why is it important?

Strong Customer Authentication is required through PSD2 every time someone attempts to pay online or access their online banking services.

The authentication must be carried out by the Payment Service Provider (PSP), and must occur through at least two different factors that satisfy two of the following three categories:

  • Possession – something the user has e.g. their device
  • Knowledge – something the user knows e.g. a password or PIN
  • Inherence – something the user has e.g. physical biometrics such as a fingerprint, or behavioral biometrics

Multi-factor authentication, where different methods of authentication are layered together in this way, inevitably leads to a more secure transaction or online banking session, as the breach of one factor will not lead to a compromise in the reliability of another, as each factor is independent.

The pandemic, which has reduced industry capacity to implement SCA, has simultaneously seen a jump in online banking fraud, especially phishing attacks that exploit the pandemic itself.

For this reason, from a payments and online banking fraud perspective, further delay to SCA’s implementation is a cause for concern – consumers need this protection now.


The effect of SCA on customer experience

The issue for PSPs is that the focus of PSD2, and SCA in particular, on consumer protection will lead to a shift in the industry towards stronger cybersecurity and away from prioritizing a positive customer experience.

Having to implement SCA and therefore re-authenticate customers using multiple factors will add friction to their experience.


What is Transaction Risk Analysis (TRA) and how can it help banks?

There is a provision within PSD2 to help banks manage the balance between fraud reduction and a positive customer experience: Transaction Risk Analysis.

In some instances, TRA can be used to secure payments (as long as PSPs keep their fraud rates low enough). TRA is a method of identifying the risk of fraud by observing behavior of the parties involved in the transaction.

TRA’s advantage is that the analysis happens in real time, but is invisible to the user. This means no friction is added to the user journey, whilst a second factor of authentication is still occurring, satisfying both SCA and PSD2.


Mitigating the effect of SCA on the Customer Experience

Banks and other payment service providers will have to fulfil SCA, whether it is now or next year, and they need to find a way to balance the added security with a positive user experience. This means authenticating customers in the fastest and least obtrusive way possible.

Happily, there is a solution that can fulfil the criteria of both SCA and TRA, whilst adding no extra friction to the customer experience.

A solution incorporating behavioral biometrics can perform continuous analysis around thousands of parameters relating to banking customers. It uses these parameters, such as the typical way in which a user moves their mouse, types, or even the angle at which they usually hold their mobile phone, to build unique ‘profiles’ for each and every user.

Their behavior during each session and other contextual information, such as their usual devices, geolocations and networks, can be compared to their typical online profile, detecting the smallest of anomalies that might point to fraud.

In this way, a risk score can be produced, informing the bank’s analysts in real time of the risk of online banking fraud, in other words, a transaction risk analysis.

When combined with deep learning technology, such a solution can authenticate a user invisibly and throughout their entire online banking session, meaning a factor of authentication (in this case inherence) under SCA is fulfilled with no action required from the user themselves.

Behavioral biometrics are the key to ensuring comprehensive fraud protection for customers, compliance with SCA and PSD2, and a frictionless online user experience.


Alán Alcoverro

Alán is a Solutions Architect at Revelock. With over 12 years of professional experience acting as a Solutions Engineer / PreSales in companies such as IBM, SCC, Allot Communications and Riverbed, he owns a transversal and integrated view of the IT world and all the digital challenges this implies for any company size, being Cybersecurity his main focus along the way. He is the main contact person for all technical items related with our Revelock online fraud prevention solution, for both current and future customers, generating at the same time new business opportunities within the EMEA region whilst offering highly efficient solutions for all challenges we face every single day related with cybercrime.