Share

12 September 2019 Farewell to the old token, transfers with the smartphone, new reinforced authentication and open banking systems, or the sharing of user data with fintech companies and other third parties. Saturday, September 14th, the X hour of the online payments revolution will take place, with the entry into force of the last part of the European directive dedicated to digital payment services, the "PSD2".

The new rules have created a displacement effect on account holders but also on insiders, given the inevitable diversity with which each financial institution has complied with the Brussels provisions, modifying its own access and use systems for home banking. Given the complexity of the subject, the Bank of Italy has also granted an extension to the 'latecomers', with the consequence of a panorama of online accounts which, on the safety rules, risks working temporarily at double speed.

But what are the real news for users? '' The need for a double independent authentication factor (pin plus disposable code) and the possibility of performing a single operation for the generated password are the main changes destined to affect the daily life of citizens '', explains Maurizio Adnkronos Pimpinella, president of Apsp, Association of Payment Service Providers.

'Strong authentication' for home banking
'This is the heart of the so-called' Strong Customer Authentication 'or' Strong Customer Authentication ', the new security mechanism that payment providers and intermediaries will have to use whenever it is necessary to access an online payment account or perform an electronic operation through own home banking '', continues Pimpinella.

'' This procedure requires banks to verify the identity of the user and the authenticity of payment transactions through the use of two or more independent factors that refer to the categories of 'knowledge' (something that only the user knows, for example the pin), of the 'possession' (something that only the user has, for example the OTP, one time password, generated by his own mobile phone) and of the 'inherent' (something that only the user is, for example the fingerprint). In essence, the user is required a double authentication factor to access his account and make payments ".

Only one password generated operation
Not only. '' Another novelty concerns the use of passwords '', points out the number one of the APSP. '' Previously it was possible to carry out an indefinite number of payment transactions with the same password. With the new legislation, however, each transfer requires a new disposable code. This code is therefore linked to a single and single payment transaction that takes place against a single and sole beneficiary ".

'Token goodbye? Nì '
And the token? Will it really be thrown away? "We say 'ni'. Each intermediary has been able to decide with a certain discretion the way in which to comply with the new rules, while still respecting the three pillars of security (possession, knowledge, inheritance) ", explains Pimpinella. '' Basically we chose to replace the old physical token with the new codes generated directly from your smartphone via app or sent via SMS. However, in some cases, the key we all know remains: however, it must be used in combination with other security requirements. In general, however, attempts are made to discourage their use with the provision of additional fees ''.

There is still time to adapt
"For the latecomers, the Bank of Italy has already granted an additional deadline, yet to be defined, in order to prevent individual users / consumers from suffering inconvenience and disservices from the transition to the new procedures", confirms Pimpinella. "Those who benefit from the extension will allow their customers to continue making transfers and transactions in the previous manner". However, it is not yet possible to provide an exhaustive list of intermediaries who have decided to take advantage of the extra time. "They will be asked to present a detailed migration plan where they will have to illustrate, step by step, the actions necessary to proceed with the adjustment".

Open banking arrives, attention to data
Finally, open banking. '' With the PSD2, for the first time, third parties may be authorized by individual users to access their account in order to offer new tools and services aimed at facilitating the home banking experience. In practice, European banks must open their APIs, Application Program Interface , to fintech companies and to other parties that provide payment services. Attention, however, to the processing of your bank data - the APSP president informs - that, in fact, they will be shared, even with the prior consent, with all the organizations that will interface with the online payment account. Including the so-called Gafa - Google, Apple, Facebook, Amazon - which have recently implemented payment and financing services in their offer ".