This new European Directive for Internet payment service providers (PSD2) aims to provide consumers with even greater protection against the risk of electronic payment fraud. The aim of this European regulatory framework is to limit bankcard fraud, account hijacking and fraudulent transfers. Although it may seem restrictive at the time of payment, these security steps are really a blessing in disguise! Here’s how it works.
PSD2 for European consumers
This European directive for account management is aimed at all service providers who organise remote payment flows, mainly over the Internet. This may be a bank, a credit institution or even payment service providers throughout the European Union. It therefore applies to the management of an online account or an application.
The European directive proposes a framework for payment services based on two main themes:
The control of consumer information and data between financial and payment service providers, and the organisation of players in the sector in the European Union.
The security of payments for consumers. It is this “customer protection” dimension that is particularly developed here.
Before PSD2, PSD1
The first European Payment Services Directive dates from 2007 and was transposed into French law in 2009. To re-read it is to note the gigantic leap forward made by the banking sector over the last fifteen years. In 2007, PSD1 finally authorised service providers and institutions to manage online payments. This marked the end of the banking monopoly. As far as customer security is concerned, there is mention of the possibility of being reimbursed by a bank as a customer in the event of fraud, with a maximum deductible of €150. In short, it’s the stone age of online payment regulation, but it’s an initial framework.
PSD2 incorporates changes in the online payments market
Validated by the European Union in 2015, the second version of the PSD is partially applicable in France from 2017. The part dedicated to consumers will be made compulsory a little later: it is this new framework that imposes double authentication for transactions of more than €30, followed by enhanced authentication.
The development of fintechs
From 2015, PSD2 provides for the development of fintechs and the arrival of new trusted third parties in the finance and payment sector. Every player in the “payment value chain” is now identified: we are a long way from the days when only traditional banks had the right to manage the online payment services market on the Internet.
The development of service providers… and fraudsters
When you increase the number of service providers and payment services, you increase the number of transactions. In other words, you open the door to fraud. The PSD2 directive aims to strengthen the security of transactions, particularly at the weakest link: the consumer! And thieves have clearly understood this, since they mainly attack this human weakness rather than the networks and systems of payment providers (third parties, aggregators, institutions, etc.). Hacking into the computer code of a bank account or a fintech application is more difficult than recovering a customer’s secret code. Security is an everyday issue for all payment service providers: aggregators, banks, fintechs and advisers.
N.B. A payment system is constantly under attack from hackers, but cybersecurity players are armed to fight this electronic war. But protecting the ” feelings ” of a consumer in the midst of a purchase is less easy to control.
What is strong authentication?
PSD2 lays down standards to be implemented for electronic payments by merchants as well as banks and payment service providers. You can no longer make a card payment or an online account transaction (or even open an account) without strong authentication, sometimes called double authentication. So, yes, it can be a bit restrictive, but it considerably reduces the risk of fraud on your account.
What are the possible methods for authenticating an account?
The main principle to remember is that strong authentication must require two of the three elements proposed by PSD2 (this is where the confusion over “two-factor authentication” comes from):
- An element of knowledge: information known only to you, such as a password,
- An element of possession: a smartphone or a telephone line,
- An element of inherence: fingerprint, facial recognition or even voice (even if this system is not very developed for the general public). As in spy films, perhaps one day we’ll be scanning the iris of our eye to make a payment or log on to our account.
When you are asked to set up a security check from your smartphone, authentication is at the strongest level, since it includes a solution for every possible element.
Good to know: strong authentication is compulsory for any transaction over €30, but increasingly e-commerce and payment service providers are asking for it from the very first euro (or even the first cent). Again, this is for the benefit of the consumer.
Best individual practices for secure payments
The biggest security flaw is the user! And crooks are well aware of this. So the first line of defence against theft is the customer! So there are a few best practices to follow.
- Never give out personal information such as passwords by telephone or message. A payment service representative will never ask for it.
- Avoid validating an authentication request if you have not made a purchase yourself.
- Another piece of advice is not to validate a request for authentication after receiving a request for payment by telephone, even if the person you are speaking to really does seem to know your personal details, or even elements of your private life. Fraudsters are very good at finding the right information on social networks.
- Avoid leaving personal data on “public” sites (social networks, forums, etc.)
- Accept the enhanced authentication services offered by the various payment providers.
- Check the addresses of the sites where you give your bank details. Make sure that the “little padlock” is present and check that the URL (the web address) does not contain any added elements. This is the case, for example, with fine scams that link to fake “ANTS” sites for paying fines.
- One final tip: if you need to contact a payment service provider, use the contact telephone number on their official website.
VeraCash’s DSP2 choices for its customers
VeraCash uses a trusted third-party payment provider that complies with the security standards of the PSD2 directive. That’s why we chose it. It’s also why, at every stage of a VeraCash account, there is strong authentication.
Using your VeraCash account
The online account
The first step is to log in to your VeraCash account. To do this, you need to know your username and password.
Then a third element, a PIN code (or equivalent).
On the VeraCash application
Fingerprint identification is possible. A systematic security alert will be sent by email. You will be informed that a connection is being made to your account. If it’s you, don’t worry: there’s nothing to do.
Please note that, from time to time, fingerprint authentication does not work. In this case, you need to enter your secret PIN or a code received by text message.
In short: authentication on the application is really reinforced! And thanks to it, you can consult your VeraCash account in complete peace and security.
Brand & Content Manager chez Veracash.
Curieux de tout et en particulier d'Économie, de ses transformations et de l'impact qu'elle a sur nos sociétés.
Toutes les questions méritent une réponse, avec recul et pédagogie.