A bank account is needed by everyone. Of course, only the authorized person may access the bank account. But how do I reliably recognize the beneficiary? This works with the help of strong customer authentication. Strong customer authentication is usually achieved by using the elements of possession, knowledge, or biometrics.
Example: In addition to possessing the forgery-proof chip card, the bank customer must know the associated PIN. Access to the account is always possible only with both elements. Or another example: By means of the possession of an app on a mobile device and the activation of the fingerprint sensor (biometrics) by the bank customer, payments can be released.
In addition to blocking after multiple misuse and timeout for inactivity, there are additional requirements. For example, it must be impossible for the PIN to be derived from the associated possession element (e.g., the smart card).
The aim is to provide bank customers with the best possible protection against unauthorized access to their accounts and misuse when accessing digital account information and initiating payment transactions via the Internet. For this reason, the member states of the European Union (EU) have given a legal framework to the wide range of organizational and technical solutions for strong customer authentication. The Payment Services Directive 2 (PSD2) requires banks to provide traceable documentation of the security features, regular testing and evaluation of the overall solution deployed. All of this is subject to an audit, the performance of which the bank must demonstrate to its supervisory authority upon request.
SRC will assist you in providing the evidence required on a regular basis. SRC auditors have the expertise in the areas of IT security and payment transactions required by law. They obtain an overview of all components of the solutions used, review the documentation and evaluate their correct classification in the verification process. SRC gives you the confidence to comply with regulatory requirements for strong customer authentication under PSD2.
More information
PSD2
In December 2015, the European Commission issued a new directive on payment services in the internal market (“Payment Service Directive 2”, or PSD2). PSD2 has been transposed into national law in the individual member states since 2018. In Germany, PSD2 will be implemented through amendments to the Payment Services Supervision Act (ZAG) and the relevant articles of the German Civil Code (BGB).
In addition to requirements for the authorization of payment service providers, PSD2 also contains requirements that must be taken into account when designing and operating technical applications of an account-holding institution. Security features of the payment applications play a particularly important role here. These include security requirements for the use of authentication solutions, namely the requirements for strong customer authentication, transaction analysis, and the security of personalization features.
Regulatory Technical Standard (RTS)
A special feature of PSD2 is that the aforementioned requirements are specified by a Regulatory Technical Standard (RTS) in accordance with Article 98 of PSD2. The EBA (European Banking Authority) was tasked with preparing corresponding drafts in cooperation with the ECB (European Central Bank) and submitting them to the European Commission. The RTS was published by the European Commission and this is a binding part of PSD2. Against the backdrop of the RTS requirements, solution providers are now faced with the task of proving to institutions that they meet the requirements of the RTS.
Procedure for proving PSD2 requirements for the authentication solution
SRC analyzes your security solution with the aim of proving the relevant requirements of the RTS. For this purpose, SRC documents are submitted for the realization of the security solution. Testing is performed at the conceptual level and, where necessary, also at the design level. If desired, SRC includes code analysis. SRC’s experience from projects with other partners is incorporated into the interpretation of the requirements.
The subject of the check is the authentication medium, e.g. an app, in interaction with the server in the background system. The focus here is not only on “man-in-the-middle attacks”, but also on direct attacks on the components used, e.g. on the smartphone in the case of an app solution.
If desired, SRC will make a statement as to whether the safety mechanisms are state of the art.
SRC summarizes the findings in a report.