All Research
Leadership Brief

PSD2: New business opportunities and risks

John Tolbert
The Revised Payment Service Directive (PSD2) Regulatory Technical Specifications (RTS) take effect this autumn across the EU. The directive will provide new benefits and rights for consumers, and create new business opportunities in the financial sector. However, new opportunities also imply new risks.

1 Executive Summary

PSD2 RTS go into effect in September 2019
PSD2 defines the new business entities Payment Initiation Service Providers (PISPs), which will have the ability to start payment processes directly between consumers and merchants; and Account Information Service Providers (AISPs) that will have the ability to aggregate account information about consumers and businesses. AISPs and PISPs are known as Third-Party Providers (TPPs). These business functions have typically been performed by banks or related banking services. Banks are known as Account Servicing Payments Service Providers, as ASPSPs, in PSD2. Competition in the financial sector within these newly defined roles will emerge from non-traditional, non-banking types of businesses.

From a technical perspective, PSD2 necessitates improvements in two major functional areas:

  • Strong Customer Authentication (SCA), transactional risk analysis, and malware mitigation in transaction processing
  • Opening new financial service APIs, and properly securing them

Concerning SCA, in most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data. PSD2, at a high level, requires “strong authentication”. The directive relies upon the standard definition, which requires two of these three factors: something you know, something you have, and something you are.

With regards to APIs, banks (ASPSPs) are required to open access to their systems for other financial service providers (TPPs) so they may obtain user authorized account information and initiate payments. To enable a new and secure financial ecosystem, APIs are being standardized in an open source manner. Banks have been building infrastructure to support the PSD2-mandated APIs. This API access infrastructure must be designed with defense-in-depth principles, including data, network and API security, as well as a trust framework for regulated external service providers and related identity and access management.

Full article is available for registered users with free trial access or paid subscription.
Log in
Register and read on!
Create an account and buy Professional package, to access this and 600+ other in-depth and up-to-date insights
Register your account to start 30 days of free trial access
Register
Get premium access
Choose a package

Stay up to date

Subscribe for a newsletter to receive updates on newest events, insights and research.
I have read and agree to the Privacy Policy
I have read and agree to the Terms of Use