Payment security: what the new European PSD2 directive improves

The financial world is now digital, “omni-channel”, mobile and borderless, opening the way for new payment methods that meet the needs of consumers who expect increasingly faster and more fluid transactions. And with this come major challenges for payment security! As of 14 September 2019, a new European directive is in force: PSD2. Objective: to enable innovation in the European payments market while securing the growing volume of financial transactions.

Accompanied by the boom in e-commerce, especially via mobile, the volume of payments continues to grow on a global scale, while new types of payment services are emerging and the technical complexity of flows is increasing. According to a research report carried out for Visa and published in 2017, 77% of Europeans now use their phone to carry out their banking transactions and their daily payments. The global payments industry is therefore undergoing unprecedented changes. Technology is redefining the landscape of banks and financial services. But if online purchases are soaring, so are the opportunities for fraud!

Source: ECB, Payment Statistics, 2017

E-commerce - now including mobile payments - is indeed a key target for fraudsters. A global study conducted by PwC in 2018 revealed that 49% of the companies concerned admitted they had been victims of fraud, a 36% increase compared to 2016. In the UK, £140 million was lost in 2012 due to e-commerce fraud. In 2017, this figure had more than doubled. Payment service providers, merchants and regulators must therefore do all they can to strengthen the security of electronic commerce, without jeopardising the fluidity and straightforwardness of customer journeys. 

In this context, Directive (EU) 2015/2366 on payment services in the market, known as PSD2, changes the regulatory framework for payments in Europe. Objectives: to take account of technological progress and enable the emergence of “innovative, secure, and convenient digital payment services”. 

In addition to a stronger payment control system – thanks to double authentication – the directive introduces a new, more open, standardised and secure way of accessing data for two categories of financial players: 

1. payment initiators, who may make payments or withdrawals on behalf of a consumer, with the latter’s consent,
2. aggregators, who have access to client account information and offer services such as expenditure analysis or account consolidation. 

Banking institutions must now make a standard interface available to these players and ensure that they have access to their customers’ payment data. The aim of this measure is to encourage innovation in financial services by facilitating access to this essential data in a secure manner. It also aims to end the current techniques of web scraping, based on the use of customer identifiers and passwords, and considered dangerous. These interfaces will take the form of APIs (Application Programming Interfaces).

BNP Paribas APIs have been in test phase since March 2019 and have been available since July. They comply with the PSD2 regulations and can be used by account aggregators and payment initiators. Initiators can now access the account data of the Group’s customers in order to offer financial services. And they can do this in a completely secure way.

These APIs are accessible from the BNP Paribas API Store Portal.

When making payments, you may at times encounter security controls that take a little longer. In fact, a strong authentication system always includes two steps to verify two elements (and not one) of the following three categories: 

1. something you own: a mobile phone, smart card, token, badge, connected watch, etc.,
2. something you know: a password, secret phrase, secret question, PIN code, etc.,
3. something you are: fingerprint, facial and voice recognition, iris scanning, typing analysis, etc.

For four years, BNP Paribas has implemented a strong authentication system to guarantee its customers’ purchases: the digital key, a free service to strengthen the security of all online transactions.

Are there exceptions to these new security rules? Yes, a few, such as low value transactions (€50 for contactless), recurring payments (subscriptions) or split payments, tolls and parking, etc., for which strong authentication is not required.