Second Payment Service Directive (PSD2) will enable Fintech IoT payment growth
Know Your Customer (KYC) will remain a prerequisite for IoT payment devices
Hardware security is key to payment confidence
If all goes according to plan, around this time next year, the Second Payment Service Directive (PSD2) will be implemented. It’s an EU initiative that was originally focused on speedier transactions, encouraging competition and harmonising payment systems. In recognising the rise of Fintech and evolving customer needs, this revision will transform the payments market, forcing banks and traditional operators to allow access to customer data from new players in the industry.
The disruptive nature of PSD2 is seen by many as entirely justified, as the banking sector has been slow to innovate, with its legacy IT platforms lacking in agility. One aim is to implement an open Application Programming Interface (API) to enable Fintech developers to communicate with traditional Payment Service Providers (PSPs)
The Open Access to Customer Accounts (XS2A) component will bring about the most visible changes with the introduction of new third party players (TPPs) functioning as Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).
“The notion of authenticated machine-to-machine payments isn’t beyond our reach”
With PISPs, merchants will have access to customer accounts, enabling a direct transfer of funds, eliminating the processing fees levied by the Card Networks. With consent, AISPs will be able to provide services that combine all customer payment accounts from different providers. This could amount to a dashboard overview, with more sophisticated uses applied to provide investment advice or searches for approved loans through a price comparison site. Similarly, payment by instalments could be initiated at the Point of Sale – a use case which is attracting a lot of interest from merchants.
At Fintech Connect Live in London recently, talk of PSD2 was everywhere. While the practicalities were of concern to some, the opportunities were not lost either. As new payment services emerge, a world of frictionless transactions seems ever more likely, and that extends to the Internet of Things.
Yet if devices are destined to initiate machine-to-machine (M2M) payments, then this frictionless ideal needs to be balanced with protection against fraudulent transactions. Today, it all comes down to Know Your Customer (KYC), a requirement that isn’t going to go away any time soon, as Anthony Lloyd-Perks, Head of Business Development, UK and Ireland, Gemalto* was keen to stress: “The KYC process is not on the machine, it can’t be on the machine, it’s on the individual. The individual is KYC and is linked in some way to the machine.”
Still, the notion of authenticated machine-to-machine payments isn’t beyond our reach, according to Dr. Farhaan Mohideen, EMEA Lead, Secure Payments and Mobility, Retail Solutions Division at Intel. While he recognises the need to know who is making the payment, he prefers to focus on a different approach: “We should forget about talking about payment instruments and talk more about payment agents associated with the machine. The payment agent will have a number of attributes, in addition to associating a user’s payment instrument and providing authorisation. That authorisation will be based on a number of conditions, like the payment limit, the types of goods and services you are allowed to purchase and when to contact the owner of the payment instrument, if these conditions aren’t met to approve payment.”
The agent is, in effect, a filter of sorts so that the frictionless fuel payment system in your connected vehicle isn’t tricked into paying out €5,000 for a used car on the forecourt of a filling station. Contactless cards already permit payments with no Cardholder Verification Method (CVM) within a set floor limit, so low risk IoT M2M transactions appear inevitable.
PSD2 has a number of implications for security and it is important to look beyond software security with solutions such as Software Guard Extension (SGX), which has been a feature since the 6th Generation Intel® Core™ processors arrived. SGX’s secure enclaves are private areas of code and data, amounting to a Trusted Execution Environment (TEE) that is protected from the host OS, shielding exposure to hackers. As the use of IoT payment devices proliferate, in future, having identifiable trusted data within these devices in the form of SGX enclaves, will deliver more confidence in approving low-risk transactions, to balance the interests of frictionless versus fraud.
“A number of Intel solutions are now in the market using these secure enclaves in payments. Intel® Data Protection for Transactions (DPT4T) has served the retail environment for some time in identifying trusted point of sale (POS) devices and providing secure end-to-end connections of both payment and critical non-payment data. On average, it takes about six years for a fixed POS refresh. So when we brought DPT4T to market we used a predecessor of SGX, that existed in chips dating as far back as 2011, to ensure that this technology could run on existing hardware,” says Mohideen.
“We also introduced Intel® Online Connect, which is embedded in the new 7th Generation Intel Core processors. With the help of our ecosystem partners we are modernising online authentication to make passwords a thing of the past, by enabling biometric authentication on all PCs embedded with 7th generation Intel Core processors, leveraging SGX. There are a wide range of applications of SGX to IoT security on payment and non-payment data,” Mohideen concludes.
It may be some time before we have that IoT stalwart, the connected fridge frictionlessly ordering more milk as we run out, but the banks are having to incorporate PSD2 and open up to new applications that Fintech and IoT makes possible. In the process, transactions using trusted devices will be vital and, with any luck, only when payments appear suspicious will things heat up from friction.
PSD2 is scheduled to be introduced on 13th January 2018.
*Trademarks are the property of their owners
For more information: