The proposed PSD3/PSR directive focuses on clarifying and improving how SCA requirements are applied in real-life scenarios. Here’s how the proposal will make SCA more effective.
We previously introduced PSD3, the new and improved version of PSD2 that has been proposed by the European Commission designed to tackle some of the biggest challenges within the digital payments landscape.
If you'd like a refresher, our first post on PSD3 covers:
- What PSD2 has accomplished to date (as well as some of its shortcomings)
- The societal trends and challenges that have prompted the plans for PSD3
- PSD3’s proposed changes to PSD2
Today, we’re taking a deeper look at what PSD3 means for Strong Customer Authentication (SCA). As we’ll explain below, one of PSD3’s main targets is to make it easier for payment service providers (PSPs) to apply SCA requirements.
How Will PSD3 Affect Strong Customer Authentication?
PSD3 focuses on clarifying and improving how SCA requirements are applied in real-life scenarios. It aims to do so through clarifying key definitions, further specifying exemptions for low-risk transactions, and continuing to balance security with the development of user-friendly, innovative, and accessible payment methods.
Here are the components of PSD3 that focus on making SCA requirements more transparent and effective for PSPs:
1. Inclusive SCA methods
PSD3 will require PSPs to ensure that SCA methods are accessible to all users and that the methods are adaptable to users’ various needs and situations. Importantly, these methods shouldn’t rely solely on a single technology, device, or mechanism (for example, the possession of a smartphone) — instead, the SCA methods must apply more than one mechanism. Our new personal security device, Talisman, is the perfect solution for PSPs to achieve compliance with this requirement.
2. Transaction exemptions
PSD3 will clarify the circumstances under which certain types of transactions — including merchant-initiated transactions or those initiated through non-electronic means — may be exempt from SCA requirements. At the same time, safeguards will be introduced to ensure that payers remain protected from fraud.
3. Simplified SCA for account information services
PSD3 will simplify the application of SCA for payment account information services. More specifically, banks will only need to apply SCA for the first access to payment account data by open banking account information service providers unless they have reasonable grounds to suspect fraudulent activity. Any later data accesses will require authentication using SCA requirements from the account information service providers.
4. Digital passthrough wallets
PSD3 will strengthen the use of digital passthrough wallets (in other words, the use of virtual payment cards stored in a wallet) by requiring SCA at the moment a payment instrument is enrolled in the wallet. This will be the responsibility of the PSPs that issued the instrument to carry out.
Article 83: Emphasizing the Importance of Security
PSD3 is actually just one portion of the European Commission’s proposal — it also includes the Payment Services Regulation (PSR), which establishes rules for PSPs to standardize payment services across the EU. The PSR includes an entire entry that’s dedicated to operational and security risks in the authentication process.
This entry, Article 83, requires PSPs to implement transaction monitoring mechanisms that are designed to facilitate the application of SCA and enhance the prevention and detection of fraudulent transactions. These mechanisms are required to analyze payment transactions by considering typical elements of user behavior, such as a user’s location, device, spending habits, and the online store used for the purchase.
Furthermore, PSPs must ensure that transaction monitoring mechanisms consider several risk-based factors: Lists of compromised or stolen authentication elements, the amount of each payment transaction, known fraud scenarios in payment services, and signs of malware during authentication sessions. Finally, if the access device or software is provided by the PSP, they must log its usage and monitor for any abnormal activity.
Article 83 is a testament to how integral a role security plays in the PSD3/PSR proposal. This is where we step in: Wultra’s solutions are specifically designed to help banks and PSPs comply with PSD3’s regulatory requirements. As the proposed EU directive continues to take shape, we’re here to help businesses prepare for the changes ahead.