Strong customer authentication under PSD2 hero graphic

Strong customer authentication under PSD2

Posted On

By Paul Butterworth


This is the second article in our series on PSD2. The first can be found here.

You’ve heard of PSD2 and even know what it stands for, but are you fully prepared for its ramifications and opportunities? Developed by the European Banking Association, this latest version of the Payment Services Directive sets out a number of new initiatives and mandates aimed at opening up the banking industry to new entrants. In the UK PSD2 is now in full swing, but many other European countries are still in the midst of implementation, despite the months-ago deadline.

I won’t go into detail on the mechanics of PSD2—you can read hundreds of blogs on that topic. However, one area that lacks nuanced discussion is its mandate that customers perform Strong Customer Authentication (SCA) for various payment transactions. Strong Customer Authentication needs to be performed for any customer-initiated online payments that occur within Europe, this includes bank transfers as well as eCommerce transactions.

Strong Customer Authentication, as defined by PSD2, requires the user to use at least two of the following three factors to prove who they are:

  •   Something the customer knows, such as a password or PIN.
  •   Something the customer has, such a mobile phone or hardware token,
  •   Something the customer is, usually a biometric such as fingerprint or face recognition.

Currently, mobile phones are the most commonly used channel to perform SCA, yet applications running on mobile devices are at risk if not protected properly. Many banks employ a technology called 3D Secure version 2 to perform the authentication. During eCommerce transactions, the cardholder receives an authentication prompt from their card-issuing bank and must authenticate themselves with a PIN, passcode, or a One Time Passcode (OTP), often received as an SMS.

Some organizations (including I’m sorry to say, my personal bank), choose to send an authentication code to the customer’s phone using SMS. I, as the customer, then use that code to authenticate myself. It’s an interesting choice, especially given the fact that there is a well-known security flaw in SS7, the protocol used by telecom companies to route SMS messages and calls. The flaw enables SMS messages to be intercepted without needing access to the phone, thus making SMS based authentication very weak. Metro Bank in the UK fell victim to such an attack—hackers intercepted the authentication codes and many customers had their accounts emptied.

Some companies choose to use a push mechanism to trigger their online banking apps to perform the authentication. This is a better solution than using SMS, but the standards also require banks to provide adequate security in their apps.

Apps need to be developed in such a way that sensitive data and application execution remains protected. The PSD2 specification refers to such protection as a secure execution environment. Apps must be aware of their environment and monitor themselves to detect risks such as malware, a rooted device, and tampered applications.

Intertrust delivers market-leading application shielding tools that enable mobile application developers to build self-defending apps. Our whiteCryption® Code Protection™ solution enables app developers to integrate sophisticated protection into their apps to identify if they are running on an unsafe device or in a debugger. Code Protection requires minimal changes to the application source code, easily integrates into existing build systems, and once integrated, can largely be forgotten. It automatically embeds source code level protection during each compilation, enabling apps to identify if they have been modified in any way. If a breach is identified, the app can take appropriate action including terminating the app, or reporting the threat back to a back-end service so that different risk management decisions can be made.

In addition to the Code Protection solution, Intertrust offers whiteCryption Secure Key Box™ (SKB), a drop-in replacement cryptographic library that ensures your keys remain protected at all times, whether in use or at rest. SKB provides easy-to-integrate leading-edge security for your encryption keys that looks just like a standard crypto library but has no dependence upon any specific hardware technology. It provides your applications a safe way to securely import, use, and store keys—no matter the capabilities of the device itself.

To find out how Intertrust can help your PSD2 compliance efforts, get in touch with our team of experts today.



whitecryption CTA Banner

About Paul Butterworth

Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.

Related blog posts


Mitigating your Java code security debt

Read more


How application protection helps HIPAA compliance

Read more


Top 2021 banking and fintech security regulations

Read more