The way banking transactions and payments are processed has changed more than ever before in recent years due to the emergence of new products and services on the Internet.

The legally binding EU Payment Services Directive 2 (PSD2) was therefore adopted by the EU in December 2015. The directive had to be transposed into national law and contained legal requirements for banks and payment service providers.

From 18 January 2018, it reorganised key interfaces between the customer and the bank, as well as between the banks and other financial service providers. It takes into account the fact that both payment services and banking transactions now take place to a large extent on the Internet, which entails IT risks. To counter these risks, PSD2 and downstream regulatory standards set higher standards for the IT security of the processes involved. Two central points are particularly relevant here:

• Strong customer authentication
  Banks must authenticate their customers with a procedure that meets the requirements of strong customer authentication (essentially equivalent to two-factor authentication).
• Account interface for third party payment service providers
  Banks must provide an openly documented interface on the Internet that allows third-party payment service providers to access customer accounts on behalf of customers. IT security requirements also apply here.

According to the PSD2, the European Banking Authority (EBA), in cooperation with the European Central Bank (ECB), is required to draw up regulatory technical standards (RTS, such as EBA 2017/05) to specify the requirements of the PSD2. Among other things, EBA 2017/05 affects exemptions and specifications for strong authentication and the requirements for the account interface for third-party payment service providers. In preparation for EBA 2017/05, the EBA conducted a market survey in January 2016, which was answered by the BSI and the German banking industry, in addition to many other market participants, and submitted the interim result for comment in the form of the Consultation Paper. On 23 February 2017, the Final Report on the RTS was submitted and the draft EBA 2017/05 was made available in May 2017. On 27 November 2017, the European Commission published an amended version COM 2017/11 on the RTS, which had to be finally adopted by the European Council and the European Parliament.

With its technical expertise, the BSI is assessing the implementation of these and other points in detail, thus helping to minimise risks and make online banking and other payment services more secure in terms of IT security.

Strong customer authentication

In PSD2, the strong customer authentication referred to above is defined in the following exact terms:
"Strong customer authentication" means authentication using at least two elements in the categories of knowledge (something only the user knows), possession (something only the user possesses) or inherence (something the user is), which are independent of each other in that the failure to meet one criterion does not compromise the reliability of the others, and which is designed to protect the confidentiality of the authentication data.

For remote transactions, strong customer authentication includes elements that dynamically link the payment transaction to a specific amount and a specific payee.

With PSD2, the definition of "strong authentication" has been further developed compared to the previous standards MaSI, SecuRePay and EBA 2014. Even with strong authentication on the part of the customer, the transaction amount and the beneficiary's account could be manipulated without additional security measures. This attack scenario was recognised in PSD2. In PSD2, therefore, "strong Customer authentication" includes "elements that dynamically link the payment transaction to a specific amount and a specific payee" for remote transactions.

The PSD2 does not contain any specifications on how great the resistance a strong customer authentication procedure must be to an attacker. Nevertheless, the Federal Supreme Court judgement of 26/01/2016 (XI ZR 91/14) shows that the security classification of authentication procedures plays a major role against the background of increased liability.

Account interface for third party payment service providers

The PSD2 regulates new services and thus opens up the market for Payment Service Providers (PSP) that provide services on behalf of the customer. These include the following:

• Payment Initiation Service (PIS) in line with Article 66 PSD2
• Account Information Service (AIS) in line with Article 67 PSD2
• Payment Instrument Issuer Payment Service Provider (PIISP) service in accordance with Article 65 PSD2

To provide such services, the service provider needs access to the customer's account, which is managed by the Account Servicing Payment Service Provider (ASPSP). The institution must provide the service providers with an interface to its systems ("access to account" interface (XS2A) in order to grant the access regulated under PSD2. Further requirements for the implementation and use of this interface have been defined and published by the RTS.

According to PSD2, a payment service provider must identify itself each time it is granted access to an account by an account-holding institution. Article 29 of the RTS specifies this requirement to the effect that qualified certificates in accordance with the "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC" (eIDAS Regulation) are to be used for identification.

Qualified certificates are issued by qualified trust service providers. The supervision and qualification of the trust service provider is subject to the regulations of the eIDAS Regulation mentioned above. In principle, any qualified trust service provider that issues qualified certificates is eligible to provide the payment service provider with the certificate required for its access via the XS2A interface. However, in order to identify the certificate holder and to revoke certificates issued to payment service providers, additional, new requirements have to be taken into account by the qualified trust service provider according to PSD2 and RTS. On the one hand, a certificate may only be issued to a payment service provider if it has received the necessary authorisation as a new payment service provider (in accordance with PSD2, Articles 66, 67 or 65). On the other hand, an issued certificate must be revoked as soon as the payment service provider no longer has a valid authorisation.

Each qualified trust service provider has a certificate issuance and management policy (Certificate Policy) that meets the requirements of the eIDAS Regulation. This policy must be supplemented by additional information in order to also meet the requirements of PSD2 and the RTS. The BSI has identified this additional required information with the guideline " Proposal for a Policy for the compliance of a qualified trust service provider with PSD2-specific requirements, PSD2-specific requirements defined by PSD2 and EBA RTS - Draft".

This policy shows that qualified trust service providers in accordance with the eIDAS Regulation form the necessary basis of a public key infrastructure required to identify a payment service provider at the XS2A interface. Only a few additional requirements have to be implemented by the qualified trust service provider in order to also meet the requirements of PSD2. These include, in particular, requirements for the identification of the certificate holder, the revocation of certificates and the extension of certificates by specifying PSD2-specific attributes. However, it must be taken into account that in order to implement these requirements, the trust service provider is dependent on the availability of information from national bodies (authorisation of payment service providers) in accordance with PSD2.