Security in PSD2 is a central point. Strong customer authentication is expected for every single payment transaction. The account owner should give consent to a third-party provider to initiate payment from their account. Every time a transaction is initiated, the account holder should prove his identity by entering their credentials.
Not so strict
Fortunately, the regulators were thinking about the real world. They included some cases where the transaction has only a small risk and the payer benefits from the quickness of the transaction and the convenience.
One example is when someone pays a parking fee, a tiny amount of money at a terminal where strong customer authentication may be inconvenient. The chance that someone illegally pays a parking fee from someone else’s account is low.
Article 12 in the PSD2 RTS says: “Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates an electronic payment transaction at an unattended payment terminal to pay a transport fare or a parking fee.”
The intention is fine, but it seems that the ones who created the text focused only on card-based payments. There are two phrases that we should analyze.
An electronic payment transaction
What is an electronic payment transaction? Is a PISP generated payment transaction an electronic payment transaction? (If you don’t know what a PISP is, click to read my earlier “who’s who” article)
In another article, I envisioned new means of payment. In that vision, at the end of the process, a PISP initiated a payment electronically. So, it seems to be an electronic payment transaction, doesn’t it?
An unattended payment terminal
What is an unattended payment terminal? It’s quite easy to imagine such a terminal with a human brain. We associate an unattended payment terminal with a parking meter, an ATM or any other device without the supervision of an operator. How will a bank identify this terminal when the payer sends the payment transaction to the bank?
In the field of EMV card payment, the “Terminal Type” data element contains this information. In addition, “Terminal Capabilities” specify whether the terminal is a “payment” terminal or any other kind (transfer, cashback, cash deposit, etc.). So, in the case of payment cards, the article in the RTS provides a clear description of cases where the ASPSP may not apply strong customer authentication.
But how can we apply for this exemption when a parking meter has a printed QR code, and the payer reads this code using their smartphone? Then, finally, a payment transaction is initiated from the phone using the API of the bank where the payer has a bank account.
In EMV, all terminals are certified, and another certification is processed when the software is installed on the terminal. The terminal becomes a part of the acquirer network of a bank. The certification procedure ensures that the terminals whose “Terminal Type” and “Terminal Capabilities” claim the terminal being “unattended payment” are unattended payment terminals indeed.
There is no such certification process for PSD2 API. Technically the bank can implement a flag in its API specification. If the bank does so, TPP can use this flag on its own admission because there is no tool in the bank’s hands to verify whether the transaction marked with “unattended payment” really comes from that kind of environment. From the security point of view, applying exemption for strong customer authentication by an external party’s own admission is dangerous.
We should keep in mind that PSD2 Article 66 excludes the possibility for a bank to enforce a direct contract, and so the bank can’t enforce the certification of the terminals with the TPP.
“The provision of payment initiation services shall not be dependent on the existence of a contractual relationship between the payment initiation service providers and the account servicing payment service providers for that purpose.”
To mitigate the risk, banks may apply strong customer authentication for every transaction. This approach gives the competitive edge to bank cards because bank card payment at a parking meter will be fast and comfortable compared to new payment methods where the payers have to authenticate themselves for every single 1€ parking fee.