PSD2: the central role of the eIDAS regulated trust services

By Denny Bellotto, Consultant – Process & Compliance at InfoCert, società del Gruppo Tecnoinvestimenti

english version Many things have been said on the Directive (EU) 2015/2366 on payment services in the internal market, also known as PSD2 Directive.

PSD2 aims to regulate the rapid growth of the European e-payment market and to harmonize the still fragmented European legislative framework, that is the result of the different rules issued by every Member State in the transposition of the old Directive (Directive 2007/64/EC), that leads to potential risks for the security of payments and for the protection of the consumers.

The central role in the new Directive of the eIDAS-regulated trust services has not been enough highlighted, even if it is very related to the goal of PSD2, that is “to strengthen consumer confidence in online digital payments”.

Let’s take, for example, one of the cornerstones of the Directive: the trustworthy e-ID of the actors involved in a e-payment transaction.

A specific technical regulation defined by the European Banking Authority (EBA) introduced the obligation of the “Strong Customer Authentication” (SCA) of the payer, that must be identified in a trustworthy way. For this requirement, every payment service provider (PISPs and AISPs) must access the payment accounts or execute payment orders only after a two-factor strong authentication of the customer.

This measure was welcomed with little enthusiasm from the payment service providers who see it as a threat for the UX of the payer, typically used to more agile systems as the “one click pay” offered, for example, by Amazon.

However, there are trusted solutions that guarantee the full application of what is required by the Directive, without undermining the habits acquired by the payers. InfoCert has patented STS – Secure Transaction Service, a software component that can be integrated in mobile payment apps and is designed to increase the security level of valued transactions generated and validated in a mobile ecosystem, guaranteeing the respect of the SCA requirements and the best UX for the payer thanks to a “silent OTP”.

STS also performs multiple controls, linking the payer’s identity to the amount of the payment transaction and ensuring the so-called “dynamic linking” (another requirement of the PSD2).

Moreover, another requirement of Directive is the clear and unique identification of PISPs and AISPs when they access the user’s payment accounts. The solution described by the technical regulation issued by the European Banking Authority is to use qualified certificates, so that any attempt to access the user’s payment accounts can be fully traced. This requirement leads to another change in the landscape of e-payments: practices such as the “screen scraping”, that is the access to the home banking using a software that pretend to be the user, very common for some players, is no longer possible. In this case, the Directive refers directly to the eIDAS-regulated trust services that InfoCert provides: qualified electronic seals and qualified certificates for website authentication.

To conclude, PSD2 has created an extremely challenging e-payment environment, which requires for sure a great adaptation effort for the payment service providers, but also offers many opportunities.

Knowing how to choose the most appropriate solutions and rely on the right partner is crucial in gathering the opportunities of the market.