Profile
Location
Copenhagen
Member since
2019
Reads

Tautvydas's blog archive

2019 (2)
Tautvydas Medziukevicius

Tautvydas Medziukevicius

Legal Counsel at Swiipe
Message Message me Posts: 2 Comments: 3

Blogs

Open Banking

Strong Consumer Authentication - a project for the banks?

07 May 2019

The Second Payments Services Directive (PSD2) is opening many doors for small companies in a bank-dominated industry. With the new rules some of the competences are transferred from the banks to the hands of the consumers. Consumers have the authority, through consent, to allow smaller companies to use consumers’ bank accounts to provide unique se...

3

Fintech

'Authentication code' and the future of payment transactions at the point of sale.

26 Mar 2019

The Payment Services Directive (PSD2), introduces new rules on how the payment services are going to be governed. Strong Consumer Authentication (SCA) implements new standards where (Article 97) the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel w...

2

Tautvydas is Commenting on

'Authentication code' and the future of payment transactions at the point of sale.

  My understanding and the interpretation of the current legal framework on this matter is that there is more than one way of fulfilling SCA. What is certain from the law is that there must be two different and independent elements for the initial authentication stage. The initial authentication stage should produce an authentication code. The tricky part is how you put that authentication code in to use as it is not clear from the law. It is unclear whether the consumer must put in the authentication code himself or whether the payment initiator gets the code and lets the payment to proceed. If it is the first option, then OTP would be the only way around, once the two elements are confirmed. But if it is the second option then we can use the existing method of chip and pin and we do not need the OTP. But nevertheless, OTP could replace the pin code in the second scenario. I believe it is the second scenario that will be applied, and thus the consumers will not need to insert the authentication code. Yes, you are right in saying OTP can be one of the elements, but it would be the ‘possession’ element and not the ‘knowledge’ based element. A pin or multi-use passwords are knowledge-based elements because it is something you and only you know. OTP is based on the devices you have, and you will not know the one-use password if you don’t have the laptop or the phone, therefore it is a ‘possession’ based element. If it is the first scenario, then I agree, it does not make sense to put another security layer on chip and pin type of transactions which are considered safe already.