Has anyone made any impulse online purchases during the lockdown period? The last six months have flown by and sometimes the only respite available has been a bit of online retail therapy. In my household the first thing mooted as an ‘essential’ purchase was a hot tub. Not a fancy proper one, but an inflatable one. Think over-sized kids paddling pool with an array of water pumps and jets to give a plentiful supply of bubbles. Whilst I liked the idea, I was pretty certain it would be one of those things that gets a bit of use and then falls out of favour, ending up forlorn and forgotten about within weeks.
Fortunately, they were flying off the shelves back in April – to the extent that they were sold out online. We moved on from that idea. Next on the list was a proper espresso coffee maker to brew frothy cappuccinos and double shot espressos to kick start the mornings. After a bit of deliberation, we finally bit the bullet and purchased a shiny new stainless steel machine with on board bean grinder, steam wand for frothing, porta filter, the works. We’ve been high on caffeine ever since, although I seem to be the elected barista as no one else in the family has bothered to learn how to use it!
Anyway back to the script. You may have noticed new payments services when making purchases online or via mobile phone, especially in Europe. The change may well be a direct result of PSD2, the latest Payment Services Directive, meaning that the retail banks are now mandated to open their coveted customer financial details via an Application Programmable Interface (API) to third party players such as fintechs and other financial service companies.
New payment options and PSD2
Alongside promoting innovation and removing national banking borders, one of the primary drivers for PSD2 is to give the consumer more choice. Customers can now engage with these third party players given their retail bank data can be shared with them at the customer’s discretion. This has given a rapid rise to a wide range of financial services which are not just being offered by usual retail banks. Think virtual currencies, insurance, loans, large retailers, Google, PayPal, Facebook, mobile challenger banking apps et al.
One example of these changes starting to take effect is when making online purchases, alongside the traditional bank card and credit cards there are other payment options now popping up such as buy now pay later (BNPL) schemes allowing you to spread the payments over multiple weeks/months. Whilst you may have overlooked these options many teenagers will be familiar with them. Names like Klarna and Clearpay offer this type of product in the UK. These are relatively new players in the financial sector who have been empowered by PSD2.
In addition to giving customers more choice in the consumer payments space, the other main objective of the PSD2 directive is ensuring consumer protection is maintained throughout the payment ecosystem. This in turn informs the fundamental security requirements:
- Strong Customer Authentication (SCA) which defines more stringent requirements for verifying the customer’s identification using biometric and physical tokens alongside passwords
- Secure data storage and communication and
- Digital certificate issuance by a competent source registered with the European Banking Authority
Digital certificates are how the different parties in the payment ecosystem establish trust with one another. You’ll be familiar with the secure padlock symbol when making an online purchase. You probably haven’t thought too much about it, but under the hood a website needs a digital certificate in order to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and gain user trust. PSD2 has specified the characteristics of the qualified digital certificates (defined in the eIDAS regulations, via ETSI TS 119 495 if you want to dig really deep) to facilitate the communication between entities in the payment ecosystem.
These certificates are typically issued by a public key infrastructure (PKI) which is underpinned by a trust anchor. At the root of a PKI are strong, trusted cryptographic keys. These are created in a hardware security module or HSM. HSMs provide strong, certified assurance to a PKI deployment whilst facilitating the automation of certificate and signature renewal, keeping private crypto keys in a secure environment.
HSMs are not just for PKIs. They can be deployed in other areas of the new payment ecosystem wherever cryptographic services are required from an assured, trusted environment. For example, Entrust offers a web services REST’ful API which facilitates easy encryption services via web service calls simplifying the communication from a bank or third party and an HSM. It’s worth remembering that being certified to both NIST FIPS 140-2 and Common Criteria gives customers the assurance they are selecting a product validated to some of the most rigorous security standards.
Why should your company care?
And why should companies care about PSD2? The deadline date for the revised directive going live is 31 December 2020. That date is fast approaching and non-compliance could result in hefty penalties for banks and third party organisations from national regulators.
So the next time you are online maybe thinking of making that essential purchase, pause for a moment and think about the new open banking payment ecosystem, what’s really going on under the hood and finally… do you really need that hot tub!