FB pixel

EyeVerify details PSD2 and how payment providers can comply with SCA requirements


In a new company blog post, EyeVerify solutions engineer Ryan Schroeder details the essential aspects of the Revised Payment Services Directive (commonly referred to as PSD2) and what payment service providers will need to do in order to be compliant with the law’s strong customer authentication (SCA) requirements.

PSD2, which will go into effect in January, is designed to make it more convenient, faster, less expensive and more secure for consumers to make digital payments, as well as to develop new services and technologies.

The law will affect the 31 countries of the European Union and the Economic European Area.

There are several secure authentication requirements that payment service providers will need to meet in order to achieve compliance with PSD2.

In February, the European Banking Authority (EBA) submitted a final draft of Regulatory Technical Standards (RTS) to the European Commission.

Among other things, the document states that SCA requires two of three elements for compliance, including knowledge (password or PIN), possession (token or mobile phone), and inherence (biometric).

Since SCA itself has to be secure, its elements cannot be disclosed or replicated, they have to possess low false positives, and they must be independent.

In the near future, both banks and non-banks participating will be required to comply with PSD2.

Schroeder then makes a case for EyeVerify’s mobile biometric solution, Eyeprint ID, which is designed to meet two factors of SCA: inherence and possession.

In terms of ‘inherence’, the solution verifies an individual’s eyeprint, which is highly unique to each individual and stable over time. In addition, EyeVerify’s latest liveness technology ensures that the eyeprint cannot be replicated with a photo or video.

In addition, creating, storing and verifying the eyeprint locally meets the ‘possession’ requirement in two ways. First, the solution secures the biometric template using cryptographic algorithms and hashing functions based on a unique device ID.

The software obtains the UUID (universally unique identifier) for Apple phones and the Android ID for Android phones, which ties the template to the user’s mobile phone and cannot be replicated on another device.

For the second method, Eyeprint ID uses public key cryptography to digitally sign a one-time use token that is sent by the financial institution.

Using RSA algorithms, a public/private key pair is created. The private key is encrypted and stored on the device, and cannot be exported, spoofed, or duplicated.

The digital signing method authenticates the user and provides non-repudiation, which ties the private key directly to the mobile phone for proof of possession.

Finally, public key cryptography further complies with the independence requirement through the decryption of the private key as a successful match is needed to decrypt the private key and sign the token.

Article Topics

 |   |   |   | 

Latest Biometrics News


Stakeholders see digital ID advantages, but work on standards needed, reports suggest

Businesses recognize the potential for digital IDs to revolutionize customer engagement. Approximately 75 percent of respondents to a new Regula…


Footprint makes a mark on ID verification market with $13M series A round

New York-based KYC and digital identity verification startup Footprint has announced a $13 million Series A funding round led by…


Pindrop claims up to 99% accuracy detecting synthetic voice fraud plaguing call centers

Pindrop has released its 2024 Voice Intelligence and Security Report, and its conclusions will come as no surprise to anyone…


Real-time remote biometrics banned in EU with final green light for AI Act

The European Union’s Artificial Intelligence Act received a final green light allowing it to become the world’s first major regulation…


Ethiopian capital Addis Ababa unveiled as host of 2025 ID4Africa AGM

It’s not only the case with sporting events like the FIFA World Cup, or the Olympic Games. The host of…


Ryanair accused of GDPR violations with biometric passenger verification

Travel policy advocacy group eu travel tech has lodged a formal complaint with the French and Belgian Data Protection Authorities…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events