Are you ready for the EU Payment Services Directive?
Banks must soon open their payments infrastructure and customer data assets
The gold standard is iris scanning but that is not on our phones yet.
From September 14th next all banks in Ireland will be required to open their payments infrastructure and customer data assets to other payment organisations. The banks will also have to open up their application programming interfaces (APIs) to third parties meaning that you could give other payment systems like PayPal direct access to your bank account if you wish.
The is the result of the revised EU Payment Services Directive (PSD2), otherwise known as the open banking directive, which aims to create a level playing field for all payment services providers as well as offering enhanced security and stronger consumer protection.
There are other aspects as well, according to Ulster University professor of cybersecurity Kevin Curran. “The regulators have to protect consumers. In some ways, if you go through PSD2 it can nearly be seen as a parallel with GDPR. It requires increased transparency, openness, clear terms and conditions, complaints to be resolved in a timely manner, and prompt incident reporting. It very much does what we all want – more transparency, timely resolution of customer complaints, and banks not holding onto money for long periods.”
That enhanced security is delivered through strong customer authentication (SCA), the new requirement for extra levels of authentication from European shoppers when making a payment. Instead of just a card number and a CVC verification code the shopper will now require an additional piece of information.
This is also known as two factor authentication and most people will have received notifications from their bank and credit card providers in relation to it by now. “It’s based on something you have and something you know, that’s best practice,” says Curran.
That means combining something you have such as a fingerprint or your face with something you know such as a password. We still have to be careful even with this added layer of protection, however.
“Biometrics can always be broken,” says Curran. “Fingerprints can be scanned, and you can copy a face. The gold standard is iris scanning but that is not on our phones yet. We should use passwords we cannot remember and use a password manager to store them. Best practice is a piece of hardware that generates a new password each time.”
But the banks are adding their own security layers in the background as well, he points out. “They are applying artificial intelligence to security. They know your geographic location and you will probably get a verification phone call if you are in an unusual location.”
Owen Lewis, a management consulting partner with KPMG who is working as part of the firm’s global payments team believes that smart use of data will become even more important in future. “While real-time payments and open banking are opportunities for financial services companies and their partners, there is also a growing threat of cyber-attacks, data breaches, and fraudulent activity, potentially outpacing and outsmarting today’s existing security capabilities”, he says.
“On the tipping scale of function versus security, enhanced data capabilities will be critical to striking the right balance between improved customer experience and heighted safety and soundness of the financial system.”
PSD2 will make new payment systems from fintech players more secure, according to Robert Doherty, director of product and scheme compliance at AIB Merchant Services. “As new payment methods emerge, they will all offer something to consumers,” he says. “PSD2 will make the banks opens up their rails and that will reduce fraud levels. Any new payment method will have to have good security level to succeed.”
Security is important to merchants as well and the new systems combined with existing infrastructure could prove very attractive in certain instances. “When we speak to large merchants and ask them what would make them support another payment type they tell us it would have to be fast, secure, frictionless, and cheap. But there is more to it. They might also want the payment system to provide age verification. Gaming providers may want that. Large delivery companies may want address verification and mobile phone numbers. This offers merchants another very important level of security.”