The Payment Services Directive (PSD2) aims to simplify online payments and reduce fraud by mandating Strong Customer Authentication (SCA). Strong customer authentication enforces a two-factor authentication known as 2FA which requires users to verify their identities in two unique ways before giving access.
Dynamic linking is one of the most discussed areas under the regulation on strong customer authentication and common and secure communication. It has three phases:
Firstly, it requires the payer to verify an online transaction by generating an authentication code with some transaction details (at least the amount of the payment and any information identifying the beneficiary (for example, part of the IBAN) to link the authentication code with the provided data;
Secondly, it aims to protect the confidentiality and integrity of transaction data throughout the authentication process;
Last but not least, the user should be aware of the online transaction data that they authenticate. This is commonly known as ‘What you see is what you sign’. This means that the detailed transaction data and session identifier information should be given to the user.
The regulation requires that every time a payer accesses a payment account online or carries out an action through a remote channel to make an online payment, an authentication code is required. The authentication process must ensure that the payer is aware of the transaction details and of the payee at all times.
The authentication code should be specific to the amount of the transaction and the payee. This is Dynamic Linking, which links the payer and payee. Strong customer authentication is a mandatory requirement for authenticating online payments. It will be mandated across the EU as from September 14.
The two-factor authentication is an important element of strong customer authentication. Transactions that use 2FA need to be authenticated using at least two of the following three factors:
Something that the customers knows, such as a password or a personal identification number (PIN);
Something that the customer has, such as a mobile phone number;
Something that the customer is, using a biometric identifier such as fingerprint.
Bank of Valletta, in line with the regulatory requirements of PSD2, is updating its strong customer authentication process. With effect from September 14, the black securekey currently being used to log on to BOV internet banking and authorise transactions will be deactivated and replaced by ‘BOV signatures’. Customers will be able to log on to BOV internet banking and authorise their transactions with ‘BOV signatures’ through their BOV mobile banking app. The app can be downloaded free of charge from Google PlayStore or App Store.
Current BOV mobile app users can start making use of this new service. BOV Mobile is now also protected with fingerprint authentication, adding another layer of security to this service. Customers who prefer to use a physical securekey can visit their BOV branch to replace their current key with a new enhanced securekey. ‘BOV signatures’ is free of charge, whereas the physical securekey carries an annual fee of €10.
Both options support dynamic linking, and when making a payment, customers will be required to capture the last five digits of the beneficiary IBAN and the payment amount.
For further information, visit bov.com, call BOV on 2131 2020 or e-mail customercare@bov.com.
Tonia Naudi is head of Multi-Channel and Payments Business at Bank of Valletta.