Page 34 - IMF-欧洲的金融科技:机遇与挑战(英文)-2020.11-35页.pdf
P. 34
32
Annex II. Security Requirements Under PSD II
The security requirements are underpinned by the Regulatory Technical Standards (RTS) on
strong customer authentication (SCA) and common and secure communications (SCS) to be
implement by end-2020.
• SCA. The regulation is a response to Interchange Fees Regulation
fraud in on-line transactions. It 0.6 (National currency)
requires card-not-present United States (debit)
authentication based on two or more 0.5 Europe (debit)
Europe (credit)
elements categorized as knowledge 0.4
(i.e., a PIN), possession (i.e., a Fee value 0.3
smartphone), and inherence (i.e.,
fingerprint); while allowing 0.2
exemptions for low-risk 0.1
transactions. Card networks 0.0
authentication have an optional 0 20 40 60 80 100 120 140 160 180 200
additional security layer for on-line Source: IMF Staff calculations. Transaction value
transactions (3D secure). To comply with SCA this industry standard is replacing a
static password with tokens and biometrics, while introducing risk-based
authentication with improved datasets. Fintech solutions could exploit big data to
identify and prevent fraud (reducing chargebacks), and tailor authentication to reduce
fraud while enhancing the customer’s experience.
• SCS. The RTS envisage two possible secure communication channels provided by
the ASPSP to the AISP or PISP. The first is a dedicated communication interface
with the same availability and performance as the customer’s interface. This is an
Application Programming Interface (API) which takes a request from a third-party
provider (TPP) and provides an answer. The second is by adapting the customer on-
line banking interface, with the TPP accessing the customer’s account using their
personalized security credentials with a secure authentication of the TPP.
