Payment Services Directive

29 Nov

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes… 

I have been critical of “password killer” solutions in the past, for example, see We cannot let passwords die (yet), saying we needed an industry-driven initiative to make this happen.

payment-services-directive-european-commissionIs the Payment Services Directive 2 – EU Directive 2015/2366, that initiative?

It requires that by 2018 banks will need to implement stronger authentication, which it defines as:

Strong customer authentication” means “an authentication based on the use of two or more elements categorised as:  

  • knowledge (something only the user knows [for example, a password]),
  • possession (something only the user possesses [for example, a particular cell phone and number]) and 
  • inherence (something the user is [or has, for example, a finger print or iris pattern])

that are independent, the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.

Ah, I hear you say – this says we still need passwords (knowledge).

Yes, but the context is now very different; this is part of a multi-factor authentication solution. They could be the local password used to access something in your possession (phone, smart card etc.). There is no longer a need for them to be stored by companies on servers, which time and time again are broken into. They could also be one-time-passwords generated locally.

We know NIST has deprecated the use of SMS, so I am sure there will be innovative new solutions coming to market. The FIDO alliance is working on standards, and my former employer, Intercede, has an innovative solution.

Our – the industries – opportunity is to use this and kill the password once and for all.  Let’s not just roll this out to banks, let’s grab the initiative and make it mandatory everywhere. But it does have to be industry wide, otherwise the issue discussed in the post “We cannot let passwords die (yet)”, remains.

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: