As part of its Regulatory Technical Standards, the Payments Services Directive II (PSD2) regulation requires companies that process digital transactions within the European Economic Area (EEA) to comply with Strong Customer Authentication (SCA) and Dynamic Linking.
It applies to businesses whose payment service provider and the paying customer's bank or card provider are both located within the EEA. However, companies whose payment service provider is located outside the EEA but who take payments from customers within the region may still be subject to SCA and Dynamic Linking requirements.
Many organisations have found compliance to be a complex, technologically challenging task. However, integrating the right API technology can help take the complexity out of the process.
What Is PSD2's Strong Customer Authentication?
According to the European Central Bank, by 2016, €1.32 billion had been lost in card fraud, with 73% of this loss occurring in card-not-present transactions (electronic payments). Therefore, the increasing need for improved payment security is clear.
SCA requires electronic payments to be executed with multi-factor authentication to increase security against fraud. While SCA came into force in September 2019, many EEA countries have opted to extend the deadline for its implementation to the end of 2021.
Under SCA, a digital payment can only be processed when two of the following three types of authentication are completed:
Knowledge: This refers to something that only the cardholder knows. It can be a PIN, password, or answer to a security question.
Possession: This refers to a device. It could be the cardholder's mobile phone, smartwatch, or tablet, among others.
Inherence: This refers to biometrics, including fingerprint, facial recognition, and voice.
What Is PSD2's Dynamic Linking?
Like SCA, Dynamic Linking is also intended to increase security against card-not-present payment fraud. In particular, it's a safeguard against malware attacks. Fraudsters can use malware to change transaction information in real time, such as the recipient's bank details or the monetary amount.
Dynamic Linking involves the following:
Issuance of a single-use authentication token that's unique to a specific transaction.
The token is valid for a specific amount and recipient. If there are any changes to the amount or the recipient, a new single-use authentication token must be issued.
The paying party is shown the amount and recipient for their authentication prior to the transaction confirmation.
If there are any changes to the amount or recipient, the authentication code is immediately invalidated.
Difficulties in Complying With SCA and Dynamic Linking
Fully complying with SCA and Dynamic Linking has proven much more difficult for payment service providers than was originally envisaged, which is why the deadline has been extended in many countries. One issue is that many providers, including banks, thought they could use customer data to complete authentication. This would have made two-factor authentication much easier to comply with, but the European Banking Authority released a statement in 2019 that essentially shot down this interpretation.
The reality is that traditional financial institution technology isn't capable of rolling out and processing the complex operations that SCA and Dynamic Linking demand. Developing the API tools and technology required has proven to be a tall order. Moreover, payment service providers may be underestimating the time it takes to become successfully compliant.
Integrating a Customer Verification API for Fast, Secure Compliance
In September 2020, some of the biggest banks in Europe, including Santander and HSBC, signed a pledge to increase fintech collaboration, as Finextra reported. Such alliances can open up opportunities for payment service providers to integrate third-party API technology with their own tech stack. The main advantage of taking this route is that providers get to combine forces with specialist developers without having to create their own solutions in-house.
A best-of-breed verification API provider provides the two main capabilities to comply with SCA and Dynamic Linking: two-factor digital authentication and a single-use token issuance for every electronic payment. Furthermore, aside from efficient compliance, a leading verification API can engender higher levels of trust as it cracks down on fraud and improves conversions.
Integrating a benchmark verification API helps payment service providers meet the SCA and Dynamic Linking requirements that PSD2 presents. By doing so, they avail themselves of specialist fintech development expertise and are able to ensure efficient compliance by the deadline.