Introduction

The MYPINPAD Authenticator platform delivers a solution for financial organisations wanting to comply with the imminent PSD2 and Strong Customer Authentication (SCA) requirements. The following guide describes how the MYPINPAD Authenticator platform and associated API delivers this capability and what resources are available to partners and potential customers.

The Platform

The MYPINPAD Authenticator platform is a PSD2 compliant-ready solution which addresses the challenges of multi-factor authentication: "knowledge, inherence, and possession". Combined with dynamic linking (What You See is What you Sign), the platform delivers a PSD2 capability for all in-band and out-of-band online authentication environments (PC and mobile based).

What is Strong Customer Authentication?

The Regulatory Technical Standard (RTS) published by the European Banking Authority (EBA) describes the principles of multi-factor authentication but falls short on how this should be implemented.

This lack of clarity has the potential of increasing costs for service providers and banks who struggle to meet these new regulations. Therefore, to assist financial institutions and PSPs to meet Strong Customer Authentication (SCA) requirements in a cost-effective and timely way – MYPINPAD are pleased to offer the PSD2 Strong Customer Authentication (SCA) platform comprising of a PSD2 open API on-demand authentication service and consumer focused Authenticator App – supporting both "in-line app" and "out-of-band" (e.g. online web) SCA.

PSD2 demands at least two of the following factors in place to authenticate a user:

  • Something the customer knows, Knowledge (e.g., payment card PIN)

  • Something the customer has, Possession (e.g., phone or hardware token)

  • Something the customer is, Inherence (e.g., a biometric factor such as facial or voice authentication)

MYPINPAD’s Authenticator platform and solution suite combines all three factors; the user’s phone (possession), their PIN (knowledge) and now, by collaborating with AimBrain, a facial authentication step (inherence). The net result is a best-in-class solution that adheres to PSD2 compliance and offers consumers a fast and accurate way in which to authenticate themselves, giving organisations stronger protection against fraudulent transactions. Leveraging everyday smartphone cameras, organisations can now request a selfie or audio/video response that acts as the "inherence" factor for financial transactions.

"What You See Is What You Sign" (WYSIWYS) Convenient Dynamic Linking

Support the lifecycle of a customer payment authorisation and/or checkout flow, use our PSD2 API to trigger additional authentication steps when required by regulatory mandates, custom radar fraud rules, or redirect-based payment methods.

Convenient Dynamic Linking:

  • An authentication transaction can originate from any channel for example within an existing banking or merchant (e.g. retail) app or an existing banking or merchant (e.g. e-commerce) online web site; the Authenticator platform provides a white-label application installed on consumers devices which can be easily added as a separate app or as a module to an existing app that links to existing workflows via the PSD2 API and for out-of-band transactions dynamic linking is provided via use of an encrypted one-time use QR Code.

  • A simple rapid enrolment process is facilitated via MYPINPAD’s payment card PIN verification service which ties an end user’s payment card to their biometric. Enroll once on any device and verify on any mobile device providing extreme flexibility and a frictionless experience.

  • Confidentiality and integrity of the transaction data are protected throughout our banking grade end-to-end cryptography and multi-modal authentication process.

  • An authentication code can be provided by the payer (or can optionally be auto generated by our PSD2 API) calculated over certain transaction data (e.g. the amount and some information identifying the beneficiary), thus the authentication code is linked to this transaction data for future fraud analysis and customer inquiry resolution.

  • The user is presented with summary of the transaction data (e.g. Beneficiary, Amount, Currency, Payment Method) that they are to authenticate. This latter requirement is often referred to as “What You See Is What You Sign” (WYSIWYS).

  • The user authenticates the transaction using their Mobile device (e.g. a smart phone or tablet), one of their Payment Card PINs (note: PINs are managed by the card issuer) and a simple biometric scan using the devices camera (e.g. a selfie).

Get the PSD2 SCA and Dynamic Linking Compliance Solution

Need more details on how MYPINPAD can help you become compliant with all the SCA requirements? Want to access our development sandbox? Contact us.

How Does It Work?

Typical example of a Mobile Banking App "in-line" payment approval using SCA:

Mobile Checkout
  1. End-customer initiates a transaction requiring SCA

  2. Bank App invokes PSD2 Authenticator App passing transaction reference data

  3. End-customer provides consent for the transaction in the PSD2 Authenticator App via PIN+Biometric

  4. Bank executes or denies the transaction based on the end-Customer SCA result (coupled to the banks internal fraud-risk engines)

Typical example of an acquirer servicing an eCommerce store ‘out-of-band’ payment approval request requiring SCA:

Online Web Checkout
  1. End-customer initiates a web check-out payment request requiring SCA

  2. Acquirer invokes PSD2 web API passing transaction reference data, a unique QR Code is displayed to the Customer on the web check-out page

  3. Customer Scans the QR code with their PSD2 Authenticator App

  4. End-customer provides consent for the transaction in the PSD2 Authenticator App via PIN+Biometric

  5. Acquirer allows or denies the transaction based on the end-Customer SCA result (coupled to the acquirer’s internal fraud risk engines); check-out process completes.

Implementation

The Authenticator Platform complete with PSD2 Authenticator App can be quickly integrated as a separate app or as a module to an existing financial institution, banking or merchant application (or web) suite where compliance with PSD2 SCA requirements is necessary. Our PSD2 Authenticator platform is available for development teams to integrate using a secure environment prior to LIVE implementation which can be achieved in a matter of weeks.

To get started please see the developers section of this guide.

Our PSD2 Authenticator Platform Benefits

  • No pre-enrolment required, reliance an existing debit and credit card issuer PIN management schemes

  • Frictionless user experience

  • Integrate into Merchant payment request flows for PSD2 SCA and 3DS2 compliance

  • Support for Consumers, Merchants, PSPs, Acquirers, Issuers, PISPs and AISPs

  • Browser and/or App "out-of-band" authentication support

  • Consistent Authentication across apps

  • Channel for cardholder issuer communication within merchant payment flow

  • Omni-channel - support iOS Apps, Android Apps, and Web

  • White-label Authentication Solution

  • No customer or transaction data held on customers device

  • Authorization session of any transaction expires within a few minutes to prevent attacks.

  • Reduce fraud

  • Improve approval rates

  • On-demand pricing

Request Access to Our Secure PSD2 Development Sandbox

Contact our PSD2 team to discuss the full range of Authentication services and integration options available to enable your organisation to meet the PSD2 SCA mandate.