PSD2? AliasLab is Ready!

PSD2 – 2015/2366 / UE

PSD2 the long awaited successor of the 1rst Payment Services Directive from 2007, aims to harmonize (as eIDAS do) the European retail payments market, which is very much fragmented along national borders, and foster the adoption of innovative, easy-to-use and secure payment & authentication schemes.

EBA defines the SCA, from the base of the traditional concept of SA, “Strong customer authentication” is defined as “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others”

 

And it must be applied by Payment Service Providers (PSPs) when “strong customer authentication where the payer:(a) accesses its payment account online; (b) initiates an electronic payment transaction; [or] (c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses” and “Strong Customer Authentication could include elements linking the authentication to a specific amount and payee. The technology solution enabling the strong authentication data and transaction data to be linked should be tamper resistant”.

For SecurCall Out-of-Band:

  1. knowledge (Username + password);
  2. possession (your phone – MSISDN that identifies the calling number);
  3. and inherence (the voice recognition during the call – “my voice is my identity”).

During the call to link “the authentication to a specific amount and payee” a voice prompt the Operation & the amount to pay”

For SecurCall SmartOtp:

  1. knowledge (Username + password);
  2. possession (your phone – the OTP is crypted and send to the phone that holds the encryption key);
  3. and inherence (the FingerPrint -touchID- or the voice recognition “my voice is my identity”).

The transaction description and the “specific amount and payee” is embedded in the notification/QrCode send to the Phone (the only device that can decrypt the description).

An additional security layer can be the FingerVein (Hitachi) Strong Authentication Device. It can be used for “important transfer” to secure the even more the transaction.  

 

Enrolment for and provision of authentication tools and/or payment-related software delivered to the customer should ful l the following requirements.

  1. Trusted environment – The related procedures should be carried out in a safe and trusted environment while taking into account possible risks arising from devices that are not under the PSP’s control.
  2. Secure Delivery of Credentials – Effective and secure procedures should be in place for the delivery of personalised security credentials, payment-related software and all internet payment-related personalised devices. Software delivered via the internet should also be digitally signed by the PSP to allow the customer to verify its authenticity and that it has not been tampered with.
  3. Specific StandAlone Registration –  For card transactions, the customer should have the option to register for strong authentication independently of a specific internet purchase. Where activation during online shopping is offered, this should be done by re-directing the customer to a safe and trusted environment.

After eIDAS regulation, a further step towards unification of the processes at the European level.

 

 

Research Sources

 

(1) https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymetsoutcomeofpc nalversionafterpc201301en.pdf
(2) https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf

BlocKChain Add-on

The authorisation data and the authentication transaction data can be entered into a BlockChain to ensure the immutability and the impossibility of tampering.

Scytale