A lot has been written about PSD2 and its impact. The hope is it will allow 3rd parties (Account Information Service and Payment Initiation Service Providers) to access consumers’ transactional data. Combining it with the existing contextual data new interesting services can be built. But success requires a good consumer experience.
There are some really interesting (possibly unintended) consequences being introduced in the draft technical guidance, which could negatively affect the consumer experience. Let me give you a couple of examples.
10. ‘Each account servicing payment service provider should offer at least one communication interface enabling secure communication with account information services providers, payment initiation services providers, and payment services providers issuing card-based payment instruments, which should be documented and freely available on the account servicing payment service provider’s website. This communication interface should allow account information services providers and payment initiation services providers to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user.’
The 3rd party is required to rely on the user authentication from the Account Servicing Payment Provider (e.g. the bank). What does this mean in reality for a consumer?
Using an app on her phone, Susan has all her accounts consolidated: bank, mortgage, utilities, etc. Following the current guidance, to get access to the API she’d have to be sent to her own banks website to login. The bank in turn would have to use 2FA (in line with the other PSD requirements); potentially making you open your banks app. Only then can you view your balance. How annoying would that be to do that for every account that you want to access. Certainly not a seamless consumer experience.
And it continues. Article 21 of the guidance states:
Payment service providers issuing card-based payment instruments, account information service providers and payment initiation service providers shall keep the sessions for payments or related services as short as possible and actively terminate the session with the account servicing payment service provider as soon as the requested action has been completed.
So that implies the user’s session has to be terminated and closed as soon as possible. In practice, that means the user will have to re-authenticate. That will be even worse – can you imagine using such a solution – it would be painful!
However, this is not the end of the story. There’s a loop hole. The guidance suggests, outside of PSD2, a 3rd party can make a specific agreement with the bank to let them authenticate the user on their behalf. Now, if that occurs the consumer could have a great, cross account experience.
The upshot is, opening up APIs is the way to go. But this introduces vulnerabilities which can be exploited by hackers. Irdeto is watching closely how the standards for PSD develop. After all, having both a great consumer experience and maintaining security is critical for success!