PSD2 and MFA - What Exactly Do They Mean?

  • Security and Compliance
  • 08.02.2022 10:52 am

If you're living in the EU, or are interested in the world of global finance, there are two abbreviations that you might've heard of - PSD2 and MFA. For a lot of people they don't mean anything whilst impacting their lives in more ways than one. Let's look at what exactly are PSD2 and MFA, and what you and everyone should know about it.

The most important document in EU consumer finance - PSD2

PSD2 is the Second PSD (Payment Services Directive), an EU directive (legal document) that regulates the financial services market in Europe regarding financial payments. PSD2 requires PSUs (Payment Service Users) to authenticate a transaction in order to prevent fraud. In the realm of PSD2, there are two parties.

  1. The Users - PSUs

  2. The Service Providers - AISPs, PISPs, PSPs, ASPSPs, etc.

Bear with us.

PISPs are known as Payment Initiation Service Providers, AISPs are Account Information Service Providers, ASPSPs - Account Servicing Payment Service Providers. All of these providers are the subjects of the open banking market and thus, are involved in PSD2.

How and why does PSD2 matter? Firstly because it regulates how all digital monetary transactions must be done in the EU. PSD2 in its essence is in favor of users and consumers. PSD2 allows PSUs (the user) to share their data with the service provider and take action (transfer funds, share data, sign contracts, etc.). The PSPs are obliged to share this information with the aforementioned providers, through specific technological bridges, called APIs. These APIs are PSD2 compliant (PSD2 API). 

There's more PSD2 mandates, such as PSD2 Payment Security which makes it easier for consumers to protect their information and account information integrity which obliges PSPs (banks, insurance companies, and other financial institutions) to provide correct and relevant information when such a demand is made from the customer.

What PSD2 doesn't allow is the sharing of user data without their consent.

MFA - What is it and how is it relevant?

MFA or Multi-Factor Authentication is an added security layer to PSD2. It's a commonly known practice, that's used ensure the authenticity of a user in the digital realm. MFA can also be labelled as Two-Factor-Authentication, etc.

PSD2 only allows the user to give their consent for sharing their own data. The directive doesn't allow, for example, a PSP to take your credit card information and share it with another PSP provider without your consent. It's very ambiguous how PSD2 regulates the sharing of data that belongs to another person, legally speaking.

This is where MFA comes into play, giving you an extra layer of protection when it comes to your own data. The service provider must also be PSD2 compliant in order for this process to work flawlessly. 

Since PSD2 makes it easier for service providers to share information with each other, the European Union put in place various security measures.

Security's a vital part of PSD2. Multi-Factor authentication, within the confines of the Second Payment Services Directive, works by requiring any user to confirm and authenticate their identity with 2 out of the 3 available measures (factors). As the directive states, any user can be authenticated by: inheritance, possession and knowledge.

Inheritance is your biometric data, possession is a device or item that you own and knowledge is your passwords, PIN codes, etc. If you can provide a PIN code through a smart phone that's already approved as yours, the transaction can be verified. As the directive and its supporting documents claim, these factors are independent and the compromisation of one does not result in harm to the other ones.

 

Related News