PSD2 Compliance

One of the key changes that the Revised Payment Service Directive (PSD2) brings is the introduction of new players – the third-party Payment Service Providers (PSPs), such as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs), this will bring more choices for the end users. For the banks, this is a new challenge, to keep their users (or even attract more users), they must provide customers with not just secure PSD2 compliant but also easy to use solutions.

As the world’s leading supplier and provider of digital security solutions, FEITIAN is providing identification solution to many world leading banks, we can help banks to accomplish PSD2 compliance.

Timeline

Zetes currently is the manufacturer of the Belgium eID card that is supplied to every citizen in Belgium. The card authenticates the end user over 500 websites ranging from taxes, pension and universities. Initially they had a few requests to be able to authenticate using their eID card on mobile devices, specifically iOS devices such as iPhone/iPad. Zetes identified a new area of business but had no solution.

Zetes faced a significant challenge with supporting the Belgium eID cards on mobile devices. The first item implemented was the iR301U to read the cards. This was clearly shown to work on mobile devices but still lacked the middleware needed to read Belgium eID card and authenticate on mobile devices.

Zetes has rich technology to read their eID card, include card identification and authentication for specific website on PC platform, but they don’t have experiences on mobile side, to support their people using their eID card on mobile device need to develop a secure browser allow do verify and authentication with government website.

Zetes then contacted FEITIAN and provided test eID card for integration.

PSD2 Compliance with FEITIAN

To achieve PSD2 compliance, the below two requirement must be fulfilled:

Strong Customer Authentication

One of the key security requirements to achieve PSD2 compliance is the adoption of the SCA for all electronic transactions, under PSD2, two-factor authentication (2FA) will become mandatory, identification result must be based on two (or more) independent of the three factors (a. something you have, such as tokens or mobile devices, b. something you know, such as your PIN, and c. something you are, such as fingerprint, iris, etc.).

FEITIAN Identification solution can provide multiple options for banks to adopt for their 2FA, which includes hardware authenticators (such as OTP tokens, OTP display cards, PKI key fobs, FIDO U2F and FIDO2 security keys) and mobile authenticators (mobile OTP).

Dynamic Linking

Dynamic Linking is a new concept brought by RTS: for payment transactions, the authentication code must be dynamically linked to the transaction details (the transaction amount and the payee), this is to avoid man-in-the-middle attacks, whereby an attacker modifies the transaction amount or the payee after the payer authenticated the with not-dynamic-linked authentication code.

FEITIAN has both hardware ban software solution to complies with the dynamic linking requirements:

Transaction-signing OTP Token/Card

Users can input the payee account number together with the transaction amount, the OTP tokens/cards will generate an authentication code which is based on the payee, amount and the time.

PKI Key with LCD

The LCD can display all transaction such as the amount, payee account or even the payee’s name, users can double confirm the transaction information and then sign the transaction.

Mobile OTP

With FEITIAN mobile OTP, users can scan the QR code displayed in the online banking page to get the transaction information (payee, amount, etc.), so that there is no need to input them manually, and then generate the authentication OTP code.