Serengeti logo BLACK white bg w slogan

PSD2 Security Regulations

Zoran Šljivić, Senior Software Developer

Before the concept of open banking was implemented, some financial services companies used the widespread ‘screen scraping’ to provide services that will now be enabled by PSD2 regulations and the concept of open banking, but in a safe way.

Screen Scraping is the act of copying the data displayed on the screen. This way, some applications have so far offered the ability to access account data from multiple banks. However, in this case, the application users had to trust the application they were using because they were not protected by law from data theft (password, account number, etc.).

In this blog, we will briefly present how users are protected through PSD2 regulations. If this is your first blog about PSD2 regulations or open banking, please get acquainted with the basics in our previous blog post.

In terms of security, the PSD2 regulation stipulates that all transactions created by the user that exceed € 30 must meet SCA (Strong Customer Authentication) – Trusted client authentication through 2FA (Two Factor Authentication) – two-factor authentication in such a way that the customer must meet specific criteria from a minimum of two of the three categories. These three categories are:

1. Knowledge – something the customer knows (PIN or password)

2. Possession – something that the customer owns (mobile phone, watch, token)

3. Authenticity – biometric characteristics of a specific customer (fingerprint, face, voice)

A good  example would be shopping in a local retail chain and paying by credit card.

A physical card here satisfies the second factor – possession, whilst knowing your PIN satisfies the first factor – knowledge. If you are a frequent guest in the same store, the probability that the cashier already knows you from previous X purchases satisfies the third factor – authenticity.

As for meeting the PSD2 regulations in the case of online shopping where there is no cashier who already knows you from before, it is necessary to implement a security protocol with an additional level of verification of card ownership included.

This is where the 3D Secure 2.0 (3DS2) protocol comes into play. It provides SCA (Strong Customer Authentication), enabling various ways of two-factor verification. One example is OTP (– a one-time password that is used as a knowledge factor, while a biometric authentication factor is satisfied by a fingerprint or face ID. One-time passwords can be sent in various ways, such as e-mail, text message, or mobile token. Each card company will choose its preferred method of client authentication.

2FA, or two-factor customer authentication, certainly adds one step further in the product purchase chain, but in this way, the user is sure that the risk of identity theft is minimized. Of course, someone can steal your card information, but to make a purchase above € 30, you would have to meet the other criteria we have just listed, which are prescribed by the security of the PSD2 regulations.

An example of an application that already has 2FA built-in is KeksPay. Another example you have probably come across is that when shopping online, after entering the card number with which you want to buy the product, the site redirects you to a confirmation via your mobile application, where you must log in with a PIN or fingerprint and confirm push notification forwarded to you by the web store where you make your purchase.

You can read more about the recommended guidelines at the link.

In the past, customer's information held by the bank was shared only with government organizations, under a law that required banks to share it. One example is the Tax Administration, with whom the bank had to share the information. However, before adopting PSD2 regulations, a non-governmental company like a telecom provider or a start-up could not access this information.

Of course, to access this information, they must first register as service providers of some sort, like:

  • (PISP) – Payment Information Service Providers
  • (AISP)  – Account Information Services Provider
  • Both PISP and AISP

PISP is a service provider that can execute a payment transaction on behalf of a customer. This means that they can withdraw money directly from your account as long as you have given your consent. If you have more than one bank account, you can choose which account to withdraw money from.

AISP is a service provider with access to bank account information but cannot move money from one account to another. There is no authority to create a transaction, only to view the data on the account.

A start-up that registers as an AISP can develop an application for potential customers through which it will offer customers an overview of all their accounts from different banks in one place. The user would not have to log in to the mobile applications of different banks but could log in to one application which would then have an overview of the accounts in all banks. One potential scenario is that this application could offer the user information on where it is best to take out a loan or make a deposit.

For any of this to be possible, a user who chooses to use such an application must consent to the application to access the bank account. This is where the implementation of safety rules in PSD2 regulations comes in. This way, clients are protected from potential scams that have so far been possible through screen scraping.

Serengeti, with its knowledge, imposes itself as a potential solution integrator for companies that might decide to step up to become an AISP or PISP service provider.

If you want to know more about our expertise, check out our Finance Expertise Sheet.

Arbeiten wir zusammen

Das Projekt wurde von der Europäischen Union aus dem Europäischen Fonds für regionale Entwicklung kofinanziert. Für den Inhalt der Website ist allein Serengeti ltd verantwortlich.