Everyone knows what etc., FYI, and FAQ stand for. Just in case you don’t, they stand for etcetera, For Your Information, and Frequently Asked Questions.
Yet another abbreviation, the PSD2, is the second installment of an already existing payment service directive from 2007. Effective as of September 2019, it aims to tackle fraud and malicious activities, increase security for online transactions, and encourage more competition in the payment industry through open banking. The PSD2 Directive applies to all member states of the EU (European Union – easy one!) and requires all financial institutions to open their customer information and payment networks to PSPs (Payment Service Providers) and other TPPs (Third Party Providers).
As you can tell, there are an abundance of acronyms surrounding open banking and PSD2, which makes it hard to get to the bottom of what consequences PSD2 really has for businesses in the finance industry.
But not to worry – help has arrived! Keep reading to find out more about this latest directive affecting the security industry in the EU. For a quick list of all the abbreviations scroll down to the Glossary of PSD2 at the end of the post. If you come across any relevant terms we’ve forgotten, post them in the comments section and we’ll be sure to get them added.
SCA, CSC and RTS – Say what?!
After the EU published the requirements for PSD2, the EBA (European Banking Authority) worked with the European Commission to create a set of RTS (Regulatory Technical Standards). These standards apply to financial institutions (e.g., banks) and PSPs (payment service providers – getting the hang of it?) and cover the topics SCA (Strong Customer Authentication) and CSC (Common and Secure Open Standards of Communication), making clear which specific security measures and implementations are required to comply with PSD2.
So what do SCA and CSC entail?
SCA specifies that in order for a customer to make payments or access payment accounts online, the customer’s identity has to be verified using at least two factors (this has an acronym, too – 2FA also known as two-factor authentication). Two-factor authentication refers to the combination of any two of the following: something the customer knows (e.g., password), something he has (e.g., phone or token), or something the customer is (e.g., biometrics). The SCA requirements are a step forward to tackle fraud and make online payments more secure.
PSD2 mandates that financial institutions, like banks, must open access to their customers’ information and payment networks to PSPs and other TPPs. But, of course, any of that information is highly confidential, so the CSC aspect of the RTS specifies which communication channels can be used and requires that any communication between the different parties is securely encrypted.
The Who’s-Who of Open Banking
There are many different parties involved in open banking, but here are the main players:
- ASPSP: Account Service Payment Service Provider
They provide and maintain the customer’s payment account. In the open banking ecosystem, they publish standards-based APIs (Application Programming Interface) to give third party providers access to customer transaction data. That way they can provide account information or payment initiation services. Only financial institutions (e.g., banks) can be ASPSPs.
- AISP: Account Information Service Provider
They aggregate online information from multiple payment accounts. For example, a customer can see all financial information from multiple banks in one place.
- PISP: Payment Initiation Service Provider
They can initiate online payments directly from the individual’s bank on the individual’s behalf. A customer shopping online can, for example, allow the e-retailer to initiate the payment right from their bank, without having to give their account details to the e-retailer.
- CBPII: Card-Based Payment Instrument Issuer
They issue payment instruments, often card-based, such as debit or credit cards.
- TPP: Third Party Provider
They don’t hold payment accounts for their customers. They instead use the ASPSP-provided APIs to access these accounts to provide account information or payment initiation services. TPPs can only be AISPs and/or PISPs since they do not have access to the payment accounts.
What are NCAs and what is their role?
The NCAs (National Competent Authorities) across Europe are registering and authorizing providers that are qualified to use the required qualified certificates. As very confidential data is involved, it is important that only approved financial institutions get the certificates which allow them to participate in open banking. A QTSP (Qualified Trust Service Provider) will check the NCA register before issuing QWACs (Qualified Web Authentication Certificates) or QSealCs (Qualified Electronic Seal Certificates), and will use information provided by the NCA within the certificates themselves.
Where does GlobalSign fit in?
GlobalSign is a leading, globally-recognized QTSP and is accredited to issue QWACs and QSealCs for companies in the EU hoping to achieve PSD2 compliance.
We understand how difficult it can be to navigate complex compliance requirements, especially with a mountain of new acronyms. If you need a recap on the many abbreviations, below is the glossary with a few extra relevant definitions thrown in for good measure. If you’re interested in learning more about how GlobalSign’s robust portfolio of identity and security solutions can help you achieve compliance or protect your most valuable information, contact us today.
PSD2 Glossary of Terms
2FA – Two-Factor-Authentication
AISP – Account Information Service Provider
AMS – Account Management System
API – Application Programming Interface
ASPSP – Account Service Payment Service Provider
CBPII – Card-based Payment Instrument Issuer
CMA – Competition and Markets Authority
CSC – Common and Secure Open Standards of Communication
EBA – European Banking Authority
eIDAS – Electronic IDentification, Authentication and Trust Services
EU – European Union
EUTL – European Union Trusted Lists
GDPR – General Data Protection Regulation
NCA – National Competent Authority
PISP – Payment Initiation Service Provider
PSD2 – Payment Services Directive 2, the revised directive of the Payment Service Directive
PSP – Payment Service Providers
QSealC – Qualified Electronic Seal Certificate
QTSP – Qualified Trust Service Provider
QWAC – Qualified Web Authentication Certificates
RTS – Regulatory Technical Standards
SCA – Strong Customer Authentication
SEPA – Single Euro Payments Area
TPP – Third Party Providers
XS2A – Access to Account