Messente avatar logo

Fraud and Security: 2FA Considerations for PSD2

Raili Liiva

10 Oct 2017 -

5 min read

Raili Liiva

10 Oct 2017

-

2 min read

The second Payment Services Directive (PSD2) is less than three months away from enforcement. While the regulation’s text is lengthy, a key component of the law is its extended reach in comparison to the first directive. PSD2 applies to all payment service providers and affiliates, including account information service providers and payment initiation service providers. In addition, the law applies when at least one part of the transaction is in the European Union. This means that payment service providers and their affiliates outside of the EU must comply with the law when the payer is in the EU. The additional geographical reach guarantees the same level of security expectations for all EU residents regardless of the location of the payment service provider.

Strong authentication requirements updated

The idea of PSD2 is to give consumers more rights with their data and security. Before PSD2, if a user had a weak password and was hacked, it was the user’s fault and their issue. Hopefully, the firm worked with the user to restore any losses that occurred from the hack for the sake of PR alone. However, the new directive puts the responsibility of strong customer authentication (SCA) on payment service providers and their partners. Yes, that means that if a user has a weak password, no two-factor authentication, and is hacked, blame is placed on the firm providing the service. And the firm must restore any loses the customer encountered by the next business day.

Change signup and login processes to force 2FA

The shift in responsibility will likely encourage any firm that handles payments, or sends and receives funds in any way, to force two-factor authentication. While the number of firms offering 2FA has increased in the last few years, it’s often hard to find where to enable it and it’s not necessarily encouraged; rather, the option is there if the user wants it, somewhere in the account settings. Users who do not use 2FA see it as inconvenient and do not believe that they are at risk (they are though.) Thus, firms do not want to force 2FA.

It’s time to change that.

The basic definition of “strong customer authentication” is presented in article 4(30) of PSD2. It states that authentication must be based on the use of two or more possible authentication elements, categorized as:


How does a firm “force” 2FA? Well, take two elements from the list above: knowledge and possession. As the username and password is already part of the sign up and login process (knowledge,) require that users provide a mobile phone number so that the service could send an SMS PIN code to the device (possession.) If current users have not provided a mobile phone number, ask for it with their next login and verify the number immediately.  

Next, direct the user to the account page, encouraging them to use a time-based one-time password (TOTP) app like Verigator and begin using TOTP codes to authenticate. This part would be difficult to force, but TOTP is more secure than SMS PIN codes. However, SMS is better than only using a password and proves possession. Also, the authentication process can trigger an SMS PIN code every time a user logs in, no matter what, so it’s simple to get this process started as a bare minimum for 2FA.

We've always recommended that users use 2FA every time they log in and again when they execute a sensitive transaction, like a payment. In January 2018, 2FA will be mandatory by law. 

And firms don’t have to build this from the ground up. We have the tool set ready to be deployed –both TOTP and SMS with one API, the 2FA user interface (yep, doesn’t have to be built either,) and a user app that syncs any service users use that also uses our API, automatically.

The second Payment Services Directive (PSD2) impact: Read the full report.


Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  




We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

Startup Conferences: What’s the point? (Slush 2017)

20 Oct 2017

With Slush coming up in about a month, it’s a good time ponder the purpose of...

Yuriy Mikitchenko

2 min read

The economics behind undelivered, failed SMS messages    

17 Oct 2017

The cost and full impact of undelivered or failed messages isn’t immediately clear. The financial impact is not...

Uku Tomikas

2 min read

Tools to avoid breaking the budget with SMS - Part 2

03 Oct 2017

In a previous blog post we discussed a few tools to help avoid breaking the budget...

Uku Tomikas

2 min read