Here's a brief overview of what's coming up in this blog:

Picture yourself in Monty Python’s Holy Grail, except the bridge keeper doesn’t ask three questions. He wants something you know, something you possess and something you are for safe passage into the digital realm.

If you don’t want to fall into the Gorge of Eternal Peril filled with data breaches and fraud, follow us on our quest to secure transactions based on the EU’s latest 2FA requirements in the EU for payment processing.

2FA with laptop and smartphone

What Counts as Strong Customer Authentication, and Who Needs To Worry About It?

Maybe you’ve already encountered the claim that a platform or bank was using strong customer authentication. What this usually refers to is a strong authentication protocol based on two or more elements. Since you’ve been around, you already know that you don’t have to rely on passwords alone.

You can use a phrase, a thumbprint, a device and other techniques. The point is, to be considered strong, authentication requires a combination of different technical approaches.

  • Something only you know
  • Something only you possess
  • Something you are (we trust you’re unique enough to drop the “only”)

The reason why you’ll want to combine two or more of these security measures is that the breach of one doesn’t compromise the others’ reliability. There, you’ve just learned about the EU’s requirements for a combination of knowledge, possession and inherence for confidentiality, per the Revised Payment Services Directive (PSD2).

Why should you care about all of this? Because it already affects everybody handling online transactions of EU citizens. The 2007 directive applied exclusively to EEA payments, with third-party payment services being excluded. However, the current version changed that to protect EU citizens during international transactions and further fintech collaborations.

That means the regulation now covers: 

  • Payment service providers
  • Payment initiation services 
  • Account information services
  • E-commerce processing

Now that we’ve covered the legalese, let’s go into more detail on how the most recent directive will affect your day-to-day.

Lock with Globe in a digital abstract setup

How the 2018 Payment Services Directive Changed Payment Processing Forever

PSD2 and GDPR both aim to protect consumers by changing how service providers handle data. Payment info processing requires customer consent, and the corresponding dialogue must allow users to choose which data to share. 

This means that banks, fintechs and other service providers need to implement safe communication platforms to exchange those data sets in case a client requests to share particular information with a third party. We didn’t throw in the GDPR just to impress you. At this point, you’re dealing with both financial and personal data, and your customers need to have equally fine-grained controls over sharing both. The combination of information your enterprise gathers determines if it’s subject to the GDPR and/or the PSD2.

No matter what you process, it’s already a no-no to use screen scraping to process any customer data. That’s because simply grabbing data right out of an info box goes against the principle of informed consent.

EU states will also ensure that you, as a service provider, apply strong customer authentication when your clients do one of the following:

  • Access payment accounts online
  • Initiate electronic payment transactions
  • Carry out actions through remote channels which may imply a risk of fraud or abuse

Basically, once a user is handling digital money, you’re on the hook. At the same time, the new framework regulates the required identification protocols. If you process payment data from EU citizens, you can bet that you need strong customer authentication. So before you stake all your cash, make sure you’ve got a combination of these.

Remember, the goal is to ensure consent and to safely prove citizens’ identities. Think of the varying legal requirements for different legal documents. Some may only require a handwritten signature and witnesses, others a signature and a notarization. You can use only your signature to verify your identity and agreement, but you probably wouldn’t do that when you’re setting up a contract to sell your house. Secure authentication is just the same.

Users have to provide at least two out of the three buckets we mentioned. They could combine something they know, like a PIN, with something they own, like a phone. 

It could happen that your particular payment service is exempt from these requirements, but even in those cases, you’re required to apply alternative monitoring mechanisms to assess the risk of fraud. Either way, consumers are more alert than ever before and will likely decide to only trust service providers using secure protocols.

Personal Data Processing Extends Beyond Login Credentials. Here’s the Gist!

Bodies like the EU prioritize the welfare of their citizens. Nevertheless, this presents you as an entrepreneur, aka data processor, with the challenge of following regulations for processing payment information. Doing so requires you to constantly follow regulatory updates and implement the proper equipment and software. Oh, and by the way, this also includes requirements for personal data, authentication, encryption and compliance. 

Don’t worry, we understand this can all feel overwhelming. For starters, you can find guidelines for SMEs breaking down best practices for data processing. But if you don’t feel like diving into the endless PDF scroll, here’s the gist for implementing Two-Factor Authentication (2FA) properly.

  • Understand the need for data security: Rather than flipping the switch because you have to, you should understand the reasoning behind measures like 2FA regulations in the EU. That way, implementation won’t stop after a successful setup, and you’ll learn to embrace it as a regular task.
  • Take a risk-based approach: The GDPR and PSD2 require that security measures, such as 2FA, be implemented proportionately to the level of risk associated with the activities requiring data processing.
  • Regularly Review Security Measures: Once in effect, your security measures need to be  reviewed consistently to ensure they’re still effective for the level of risk involved. This review should include employee training and educating them about using 2FA correctly.
  • Implement 2FA: Almost obvious at this point, but if you’re processing private or payment data, there’s no way around it to stay compliant.

Make sure you consider all parts of data processing to stay compliant and fulfill the 2FA requirements in the EU for online payment services. Any system processing personal data, whether that’s a security token or your name, should be guarded by 2FA. And to guarantee that personal data processing is performed only through specific network resources, you should throw in device authentication.

How Almefy Can Help to comply with 2FA Requirements in the EU

We’ve observed the security market and regulations for years, and we burn for identity-based encryption. If you’d like to learn how an improved and simplified multi-factor authentication process can make your life easier, try Almefy today!