-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check what it means to be compatible with PSD2 EU Directive for APInf #1994
Comments
This is interesting. Quite a lot of discussion about it in Twitter and facebook |
I'll take this one. |
Users, as often is the case when competition is encouraged, will gain the most. New services will arise in the form of payment methods, intelligence on how to better use each one’s savings, and reusing identification capabilities. The main difference will be that we won’t need wallets anymore (eg: Paypal, PingIt) but we’ll simply ask Whatsapp to connect to our bank account and use our fingerprint to accept a payment request from the colleague next door. No need to open 3 different apps, fiddle with 20+ digit long IBAN codes and double check at the cubicle if the payment arrived alright. The main scope of the PSD2 is to encourage new players to enter the payment market, and it does this by mandating banks to “open up the bank account” to external parties. These Third Party Players (TPP) are divided in two types:
Who gains benefit?AISPs are providers that can connect to bank accounts and retrieve information from them. A typical example of this would be an investment recommendation service: the service will be able to see how much money a user is saving each month from his income, and provide tailored advice based on his spending patterns. PISPs are players that can initiate payment transactions. This is a radical change in this industry, as currently there are not many payment options that can take money from one’s account and send them elsewhere. Currently we only have (SEPA) Credit Transfers and debit cards, which are both offered only by the account holder’s own bank. In the future we will probably see several different payment options that can move money from the account, without the need of using a wallet (eg: Paypal). The Payment Initiation Service Providers (PISPs) stand to gain the most. The European Banking Authority (EBA) will develop a central register of authorised and registered payment institutions. Benefits in brief:
Consumer rights:
Time frame and requirementsBy January 2018, European banks must provide access to customer information (e.g. account balances and details) to AISPs, introducing another entity to the customer relationship. In addition, banks must expose customer information and payments services to Payment Service Providers (PSPs), dis-intermediating the traditional payments model. Most importantly, banks and financial services institutions may also take on the role of AISPs and PSPs themselves. This will all be enabled through the effective use of APIs; setting the scene for the API economy to play a disruptive role in the future of financial services. The Open Banking Standard is response to PSD2 requirements. Umbrella organisation is Open Data Institute. In its report the OB Working Group recommends that:
SecurityPSD2 requires payments services providers to implement strong customer authentication (SCA) when accessing payment accounts online, initiating electronic payments and through remote channels that have a risk of payment fraud. SCA is based on the use of the use of two or more elements that include Knowledge, Possession and Inherence and the authentication mechanism must work in a range of Additionally, transaction details, e.g. payee and transaction amount information, need to be presented to the customer as part of the strong authentication mechanism. This has to be achieved in a manner that supports the “development of user-friendly, accessible and All the major security related requirements touch us at some level:
For auth purposes (open source) https://www.powerauth.com/ seems to be PDS2 compatible and is APIs based auth solution. We probably need to support this kind of extensive auth frameworks or then decide that others handle all authentication. Nevertheless it's clear that all our data (internal too) has to be https. |
Great research! Should we move the documented findings to the documentation repository from the issue? |
Thanks. I'll copy content to docs and close the issue |
Copied to research https://github.com/apinf/docs/blob/master/docs/research/PSD2.md |
this is very important in monetization strategy
The text was updated successfully, but these errors were encountered: