Learn More »

Compliance guide to EBA and PSD2

  • Share
Complying With EBA Guidelines
What Is PSD2?

Complying With EBA Guidelines

The European Banking Association (EBA) also has guidelines for all PSPs, offering services in the EU, regardless of where they are based. These guidelines are similar to the PSD2 guidelines, and the EBA are working closely with the ECB to develop the regulatory technical standards. This mandate came about following a January 2013 report from the European Forum on the Security of Internet Payments, known as SecuRe Pay. SecuRe Pay had issued a set of recommendations with a proposed implementation date of February 2015. The EBA as a member of SecuRe Pay agreed to convert the SecuRe Pay recommendations into EBA guidelines , which in effect makes them legally enforceable, not only within the EU, but across the European Economic Area.

Under the EBA Guidelines, “strong customer authentication” is defined as a procedure based on the use of two or more of the following elements – categorized as knowledge, ownership and inherence:

  1. Knowledge, e.g. static password, code, personal identification number.
  2. Ownership, e.g. token, smart card, mobile phone.
  3. Inherence, e.g. biometric characteristic, such as a fingerprint.

The elements selected must be mutually independent, At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously (stealthily) stolen via the Internet.

What BehavioSec offers Merchants & Payment Service Providers (PSP)
Ultimately the introduction of “strong customer authentication” presents merchants and PSPs with a dilemma. How do you balance the need to comply with the various guidelines, and at the same time provide a service that offers customers the frictionless experience that so many demand. How do you ensure strong authentication on PCs, tablets, and mobiles, transparently for customers?

When reviewing the guidelines both for EBA and the Payment Service Directive, “strong customer authentication” clearly state that a biometric characteristic is an acceptable form of authentication.

The case for Behavioral Biometrics is clear from the EU Data Protection Directive (also known as Directive 95/46/EC). The directive, adopted by the European Union, is designed to protect the privacy and protection of all personal data collected for or about citizens of the EU, especially as it relates to processing, using, or exchanging such data. Under EU, privacy law, the law protects natural persons collecting and processing of data. The categorization of “biometrical data” is a subset of personal data and is defined as “biological properties, behavioural aspects, physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability ” That includes data which is processed by physiological-based and/or behavioural-based techniques. Based on the legislation, behavioural elements of an individual person, enrolled via keystroke analysis qualify as Biometric Data derived from behavioural-based techniques, and Behavioral Biometrics is therefore recognized as a valid format, and as such is sufficient to meet both EBA and PSD2 requirements.

BehavioSec offers PSPs and Customers the Holy Grail of being Frictionless and Secure, on any device. A key factor in the success of BehavioSec is that the customer experiences no change to normal behavior. The customer does not need special hardware, which is necessary for all forms of physical biometrics. Additionally it meets another key requirement of the Data Protection Directive, namely that behavioral biometrics makes it impossible to profile based on factors such as sex, ethnic origins, and health status; something that is a concern with physical biometrics.

What Is PSD2?

PSD2, the revised Directive on Payment Services, has been officially adopted by the European Commission, and is intended to clarify the rules applying to payment providers. The revision deals with many aspects, including for example the prohibiting of surcharges on card payments regardless if the purchase is made in a store or online. Something I’m sure many of us will be pleased to see!

Of specific interest to BehavioSec, is the introduction of the legal requirement for PSPs to implement “strong customer authentication”. Strong customer authentication requires that prior to a customer completing a transaction, they must be authenticated by two or more elements based on knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). The elements must be independent, so that the compromise of one does not compromise the reliability of the others.

Better Customer Protection
If the PSP does not provide strong customer authentication, then the customer will not incur any financial losses unless of course the customer has acted fraudulently. A PSP is required to use strong customer authentication where the customer:

  1. Accesses a payment account online.
  2. Initiates an electronic payment transaction.
  3. Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Additionally, the PSPs must provide strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific customer.

If you are interested in more information, please read the full whitepaper