Do TPP Services Represent a Worrying Factor for The Retail Payments Market? November 2019
In this paper, SPA explores the new market context created by the EU’s Payment Services Directive (PSD2). Designed to encourage the creation of new and innovative payment services, PSD2 ushers in a new era of ‘Open Banking’ that will have a big impact on the way merchants take payments from customers – especially for online transactions – and is designed to give consumers greater visibility and control over their finances.
However, PSD2 also opens the doors to third party providers (TPPs) known as AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) that will be able to use APIs provided by banks to access their customer’s bank accounts and create entirely new, independent services.
As well as evaluating the potential impact of TPPs on the retail payments market, the paper takes an in-depth look at:
• the current implementation progress of Strong Customer Authentication (SCA)
• how banks are re-positioning to work with TPPs and enable new API services
• the potential security and commercial risks posed by the emergence of TPPs.
If PSD2 is to achieve the anticipated objectives and ambitions of regulators, the structures enabled to support Strong Customer Authentication (SCA) will need to be robust and streamlined – the security of retailers, consumers, and banks depends upon this.
The Open Banking ecosystem introduces additional complexities and vulnerabilities to current payment systems – vulnerabilities that threaten the integrity of customer funds held in bank payment accounts. Yet the current lack of specific security or technical Open Banking authentication solutions is already leading to market fragmentation and a significant duplication of effort in the bid to define the best set of security mechanisms for all ecosystem participants.
It’s a complex problem that organizations in Europe – and further afield – are currently grappling with.
Open Banking fundamentally changes the security rules of the game. Having the technical ability to secure electronic payments, assure PSD2 compliance, and simultaneously enhance consumer protection against fraud and liability accountability will be vital for managing transactional risk.
In this detailed technical paper, SPA champions the role of standardization to support the secure and flexible choice of authentication methods: customer redirection, embedded, decoupled and delegated customer authentication, and explores what it will take to reduce customer friction during the authentication process.
The SPA also explores how today’s biometric-enabled smart card technology offers a highly secure and convenient method of undertaking customer verification that both assures security of the authentication process itself, while guaranteeing the privacy of the card user.
Download paper: pdf 19 11 11 PSD2 TPP SPA Paper Final Published (195 KB)