What is a PSD2 SCA?
PSD2 is an EU Directive on Payment Services (EU 2015/2366) which is currently in force and requires account servicing payment service providers (ASPSPs, e.g. banks) to open up their services to Third Party Providers (TPP). These TPPs are empowered to build their own financial services (e.g. initiate payments, provide account information) by being able to access user accounts at a bank through a so-called Open API. Obviously, access to an account is not easily granted. Financial institutions are obliged to perform Strong Customer Authentication (SCA) when a TPP is trying to access a user account. An SCA request is a direct query to the account owner to approve (or reject) the account access request of the TPP. The Directive is accompanied by a Regulatory Technical Standard (RTS) which defines detailed technical requirements on all implementation aspects, including SCAs.
SCA technical requirements
The RTS defines the requirements for SCA implementations. The most important ones are the following:
Using PKI for SCA purposes
Implementing a good SCA solution poses three completely different challenges:
PKI is an obviously good choice for the first two challenges; it has been widely used for decades to provide secure and reliable solutions to similar problems. The following considerations will be useful when an organization (e.g. a bank) provides its customers with a mobile-based SCA solution (a mobile app) and addresses the issues of secure communication and authentication code generation using PKI.
Providing end-users with certificates for the mobile
To be able to benefit from the features of PKI, the provider should be able to handle private keys on the mobile device. One straightforward option is to generate private and public key pairs on the mobile itself and request a certificate from a Certificate Authority (CA). Many Mobile Device Management (MDM) platforms support this and there are protocols specifically designed for this purpose (for e.g.: Simple Certificate Enrollment Protocol - SCEP). Once the keys and certificates are ready (and properly secured!), they can be used to implement an SCA tool.
By having authentication certificates, secure communication becomes much less of a hassle. Building and validating mutual SSL/TLS channels should not pose a problem and they provide authenticity, confidentiality and integrity protection for the communicating parties. If certificate validation is done properly, TLS will provide one of the best security solutions for communication.
Authentication code generation
The RTS lists numerous requirements for authentication code generation. PKI as a framework can satisfy most of them by design. It has been proven that it can resist forgery attacks even when the attacker possesses numerous enciphered blocks of data. It has been proven that digitally signed documents are tied to the owner of the private key, making digital signatures non-repudiable. Signatures that are applied to one set of data cannot be moved or copied to appear applying to different data and it is impossible to modify signed data while keeping the signature valid. Thus, one can see that electronically signed transaction data works perfectly as an authentication code satisfying all the requirements. All the provider has to do is ask the end user to sign all the transaction data with her private key. Signing all the relevant data will immediately satisfy the requirements for dynamic linking and PKI provides for forgery resistance as well.
Building the app
One should not forget about the mobile application that is handling the keys. The security of the app is crucial, it has to be able to protect the keys properly, only allowing their owner to use them. On top of that, the RTS specifies numerous other requirements that can only be satisfied on the application level, like monitoring and logging failed login attempts, deactivating the SCA tool when someone tries to hack it, and so on.
The value added
Using PKI and especially digital signatures for SCA yields something more than compliance. By being able to sign transactions on the mobile, signing documents (PDFs, ASiCs etc.) is right around the corner. Any organization can turn their mobile SCA tool into a fully featured electronic signature application allowing the customers to sign contracts and issue orders: actions that would otherwise require physical presence in a branch just for the sake of signing the document. This will allow the users to sign their documents anywhere and anytime without the need of a computer or a branch office.
Providing customers with an easy-to-use yet secure SCA tool is essential for the success of PSD2. Open banking will shape and change the way customers and banks handle finances forever. While the challenge is new, using well-proven technologies can reduce risks greatly, providing advantage over competitors.
PKI provides a simple and elegant solution for the most important requirements of SCA tools, allowing the ASPSPs to be confident and focus on other aspects of PSD2 compliance. It will transform their PSD2 compliance project into a project that will benefit from the full power of electronic signatures, creating new business opportunities and happy customers along the way.
Author: Tamás PAULIK
© 2019 Microsec ltd. | Company registration number: 01-10-047218 | Tax number: 23584497-2-41