June 11, 2017 -
In a new company blog post, EyeVerify solutions engineer Ryan Schroeder details the essential aspects of the Revised Payment Services Directive (commonly referred to as PSD2) and what payment service providers will need to do in order to be compliant with the law’s strong customer authentication (SCA) requirements.
PSD2, which will go into effect in January, is designed to make it more convenient, faster, less expensive and more secure for consumers to make digital payments, as well as to develop new services and technologies.
The law will affect the 31 countries of the European Union and the Economic European Area.
There are several secure authentication requirements that payment service providers will need to meet in order to achieve compliance with PSD2.
In February, the European Banking Authority (EBA) submitted a final draft of Regulatory Technical Standards (RTS) to the European Commission.
Among other things, the document states that SCA requires two of three elements for compliance, including knowledge (password or PIN), possession (token or mobile phone), and inherence (biometric).
Since SCA itself has to be secure, its elements cannot be disclosed or replicated, they have to possess low false positives, and they must be independent.
In the near future, both banks and non-banks participating will be required to comply with PSD2.
Schroeder then makes a case for EyeVerify’s mobile biometric solution, Eyeprint ID, which is designed to meet two factors of SCA: inherence and possession.
In terms of ‘inherence’, the solution verifies an individual’s eyeprint, which is highly unique to each individual and stable over time. In addition, EyeVerify’s latest liveness technology ensures that the eyeprint cannot be replicated with a photo or video.
In addition, creating, storing and verifying the eyeprint locally meets the ‘possession’ requirement in two ways. First, the solution secures the biometric template using cryptographic algorithms and hashing functions based on a unique device ID.
The software obtains the UUID (universally unique identifier) for Apple phones and the Android ID for Android phones, which ties the template to the user’s mobile phone and cannot be replicated on another device.
For the second method, Eyeprint ID uses public key cryptography to digitally sign a one-time use token that is sent by the financial institution.
Using RSA algorithms, a public/private key pair is created. The private key is encrypted and stored on the device, and cannot be exported, spoofed, or duplicated.
The digital signing method authenticates the user and provides non-repudiation, which ties the private key directly to the mobile phone for proof of possession.
Finally, public key cryptography further complies with the independence requirement through the decryption of the private key as a successful match is needed to decrypt the private key and sign the token.