Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Profile
Location
Copenhagen
Member since
2019
Writes about
Payments Regulation & Compliance Start ups

Tautvydas's blog archive

2019 (2)
Tautvydas Medziukevicius

Tautvydas Medziukevicius

Legal Counsel at Swiipe
Message Message me Posts: 2 Comments: 3

Blogs

Open Banking

Strong Consumer Authentication - a project for the banks?

07 May 2019

The Second Payments Services Directive (PSD2) is opening many doors for small companies in a bank-dominated industry. With the new rules some of the competences are transferred from the banks to the hands of the consumers. Consumers have the authority, through consent, to allow smaller companies to use consumers’ bank accounts to provide unique se...

3

Fintech

'Authentication code' and the future of payment transactions at the point of sale.

26 Mar 2019

The Payment Services Directive (PSD2), introduces new rules on how the payment services are going to be governed. Strong Consumer Authentication (SCA) implements new standards where (Article 97) the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel w...

2

See all Tautvydas's blogs

Tautvydas is Commenting on

'Authentication code' and the future of payment transactions at the point of sale.

  My understanding and the interpretation of the current legal framework on this matter is that there is more than one way of fulfilling SCA. What is certain from the law is that there must be two different and independent elements for the initial authentication stage. The initial authentication stage should produce an authentication code. The tricky part is how you put that authentication code in to use as it is not clear from the law. It is unclear whether the consumer must put in the authentication code himself or whether the payment initiator gets the code and lets the payment to proceed. If it is the first option, then OTP would be the only way around, once the two elements are confirmed. But if it is the second option then we can use the existing method of chip and pin and we do not need the OTP. But nevertheless, OTP could replace the pin code in the second scenario. I believe it is the second scenario that will be applied, and thus the consumers will not need to insert the authentication code. Yes, you are right in saying OTP can be one of the elements, but it would be the ‘possession’ element and not the ‘knowledge’ based element. A pin or multi-use passwords are knowledge-based elements because it is something you and only you know. OTP is based on the devices you have, and you will not know the one-use password if you don’t have the laptop or the phone, therefore it is a ‘possession’ based element. If it is the first scenario, then I agree, it does not make sense to put another security layer on chip and pin type of transactions which are considered safe already.

28 Mar 2019 Reply Read article

PSD2 - The Final RTS: 10 Things You Need To Know

  Thank you for the article, it seems very fascinating. however, my belief is that you have misinterpreted the RTS with the point 3. RTS states that PIS Providers have the right to rely on the authentication procedures provided by the ASPSP to the user and in such cases, the authentication procedure will remain fully in the sphere of competence of the ASPSP. This part only bears the meaning that there is an extra right for the PISPs to use the SCA provided by the banks. It does not state anything about the PISPs not being to have their SCA mechanism. There would be no point of having PISPs if they would have the only way of referring to banks for initiating the payment service, doing something they were created to do.

21 Mar 2019 Reply Read article

3D Secure 2.0 and PSD2, live together in perfect harmony

  The 3DS 1.0.2 does not necessarily satisfy the requirements for the PSD2. PSD2 requires two different elements, 3DS 1.0.2 might request two same elements, for example, two passwords, which both are something we know. Can you expand on how 3D Secure satisfies the requirements of strong consumer authentication?

21 Mar 2019 Reply Read article