In an ever-more connected world, online financial transactions, from viewing bank accounts to making payments, are increasing at a steady rate: in 2017, more than 1.5 bn people globally made an online payment; over 2bn are expected to do so in 2019.

In France, 6 out of 10 people regularly make mobile payments. This appetite for service is encouraging both traditional players and fintechs to take positions on the online banking market. Many solutions are now being deployed at large scale, something that requires appropriate regulation.

PSD2 and financial players

PSD2, the revised EU Directive on Payment Services, is part of the picture in developing electronic transactions. It represents a new step in standardizing financial exchanges, and follows PSD1 and the recent OpenBanking UK work.

As the number of players in the market grows, the number of solutions being deployed for user authentication and the security of financial operations is increasing. Such solutions may draw on means of exchange already recognized as secure (for example, EBICS and SWIFT)—but these are not well placed to meet the growing need for real-time access to data.

The purpose of the directive is to provide a regulatory framework for both banking and non-banking players, while also promoting competition.
To do this, the directive defines three types of services carried out by payment service providers:

  • Account Information Services (AISs), which display and aggregate balance data and effect transactions in accounts used for payment.
 
  • Payment Initiation Services (PISs), which involve a payment order being transmitted, on behalf of a payer, to their bank.
 
  • Card-based Payment Instrument Issuers (CB-PIIs), which provide users with a means of payment.

What PSD2 brings to security

As a condition of allowing banks to access data via their ASPSP, the directive requires them to deploy a new interface which incorporates a set of security measures that enables the services to be offered securely.

The limits of PSD2

PSD2 represents a milestone in strengthening the security of payment services. It puts in place measures that take into account the needs of the increasing number of digital players. As we stand, however, it contains limitations that constrain what the security mechanisms can offer.

Accounts used for payments only

Incompatibility with existing standards