Tips

PSD2, SCA, and Dynamic Linking: What are they and how do they work?

Chances are you have already heard about these concepts, especially if you operate in the financial industry. The two have become real buzzwords for a few years. Depending on where you operate, in the European Union, you might be already required to be PSD2 compliant. In case you are not required by law to be compliant, you are still strongly encouraged to do so, as it adds security to your users and lowers the potential for fraud.

What is PSD2?

PSD2 stands for Payment Standard Directive 2, and is a part of the payment legislation put in place by the European Banking Authority (EBA). It sets mandatory actions that financial institutions and other involved parties need to undertake in internet banking, mobile banking, e-commerce, and payment services in order to be compliant. Taking into consideration the technology’s current state and future trends, PSD2 aims at facilitating the user’s access to the banking and financial services while elevating the level of security. In terms of security, PSD2 most important provisions are:

Risk Assessment: a risk score can be calculated and used for classifying transactions in order to give the user a seamless experience.

Strong Customer Authentication (SCA): when making transactions the user needs to provide two of the following factors:

  • Knowledge: something only the user knows, like a password or a PIN.
  • Inherence: something that the user is, like biometrics.
  • Possession: something that the user has, like a mobile phone.

Dynamic Linking: For every transaction a unique authentication code is required. It should be specific to the transaction amount and recipient, both of which are provided to the payer at the moment of authentication. Combining the authentication code with the provision of the data to the client, dynamic linking makes it possible to follow the “what you see is what you sign” principle.

How does Dynamic Linking work?

Considering the current state of technology, the dynamic linking process often happens with the aid of a smartphone. This enables the user to receive all the payment details, such as the amount and the recipient in a secure way. Typically, the authentication code is cryptographically tied with the payment details (although this is not necessary). After the user receives and verifies the payment details, and is strongly authenticated with at least two of the factors, their decision (to either approve or reject the transaction), together with the payment data is cryptographically signed. This process creates a unique authentication code bound to this specific transaction not only in terms of transaction details, but also time and device used to approve the transaction.

How does Dynamic Linking protect the user and lower fraud?

Dynamic Linking makes it possible to follow the “what you see is what you sign” principle. The users see what they are confirming. This mechanism can protect the users even when their devices are compromised. If an attacker manages to set up a man-in-the-middle attack, they can still not manage to get fraudulent payments confirmed. For example, malware placed on the user’s device can show the legitimate payment details on the user’s browser, but send maliciously modified details to the bank. Using Dynamic Linking, the bank will send to the user the data it received from the attacker: the altered one. The user can avoid the attack by refraining from providing the authentication code, which should be presented only when the transaction details received match the intended ones. With Dynamic Linking in place, fraud becomes much harder to perform, as it is not enough to compromise the user’s device. This leads to a higher level of security for the user which is in turn reflected in lower fraud cases.

Achieve Dynamic Linking with the Futurae Authentication Platform

At Futurae, we make sure to make Dynamic Linking easier for both the financial institutions and users. On the user’s mobile phone, the Futurae offering can be implemented either as stand-alone “Secure Access” application, or integrated within business applications (through the use of iOS and Android mobile SDKs) to securely provide a seamless dynamic linking of transactions. These applications can then also be used for strong customer authentication through PIN, biometrics and the possession of the mobile phone. Smartphone based solutions cover most of the users of a modern bank, but there are also cases where a user does not have a smartphone or internet connection, for example due to compliance (such as in data centers or trading floors) or corporate rules. To cover these scenarios Futurae offers hardware tokens that support dynamic linking. They display the transaction details to the customer and provide a secure authentication code linked to the transaction.

Want to learn more? Reach out to our experts at sales@futurae.com

PSD2 Dynamic Linking