PSD2 and Strong Customer Authentication: Is Text Messaging Allowed?

The Second Payment Services Directive (PSD2) is revolutionizing the way that financial services companies provide customer authentication and secure connectivity, and Syniverse has been moving right along with this revolution to help banks, mobile operators, and other businesses in implementing PSD2 to ensure their compliance.

As part of this, we’re sharing some of our latest insights on PSD2 here on the Syniverse Blog in a series of posts. We increasingly receive a number of common questions about PSD2’s requirements, challenges, and opportunities. In this post and others, we answer these to shed some more light on where we are with PSD2 now and what’s ahead.

In our first post, we addressed the delay with PSD2, and in this post, we address the question in the title of the post above. In fact, depending who you speak to across the European finance industry, you can still get different answers to the question, “Is text messaging allowed with PSD2 and strong customer identification?” This occurs despite an underlying E.U. law already in place and additional guidance that was issued this summer.

In my opinion, though, this is one of the factors that has contributed to the delay in enforcement of the strong customer authentication, a crucial element of PSD2. Let’s take a closer look by diving into the most common questions we receive on this, and our answers that go over some of the fine print involved with PSD2 and text messaging.

Is text messaging allowable with PSD2?
Yes. The European Banking Authority guidance clearly says on Page 6, Paragraph 25, and Page 7, Table 2, that text messaging is allowed to be used as a possession element, explained further in the next answer.

Why does the guidance say that text messaging isn’t allowable, on Table 3, Page 8?
This is confusing. On Page 8, it says that text messaging is not allowable as a knowledge element. Strong customer authentication defines rules for multi-factor authentication, including that two of  three factors are required, with these three factors being knowledge, possession and inherence. What the guidance means is that text messaging can be used as a possession element, but not a knowledge element.

Why does the guidance mention the SIM (subscriber identity module) in Paragraph 25, Page 6?
This relates to what text messaging proves possession of. The guidelines state that text messaging itself is not proof of possession, but that it needs to be used to prove possession of a SIM. Because text messaging takes place via a phone number, it is possible for it to be delivered to different devices. The classic examples are when you change mobile operators or get a nano-SIM for your shiny new smartphone. However, this can also lead to fraud, such as when a mobile phone number is taken over by a hacker. This could be done through SIM swap, port-out fraud or SS7 hacking. To answer the question above then, tying text messaging to the SIM mitigates these fraud risks.

So how can I bind text messaging to the SIM?
This can be done by checking that the SIM is the same when sending a text message. Mobile operators are now providing access to SIM change and porting data. By using this data to check whether the SIM has changed, the possession of the correct SIM can be proven.

Sounds good, but can you give a real-world example?
The U.K. offers a prime example within the E.U. for PSD2. U.K. mobile operators have worked with the industry to make SIM swap and other fraud prevention data available, and they recently presented this at a GSMA summit. As a result, text messaging is now being widely used by U.K. banks for strong customer authentication. Sometimes, though, banks deploy text messaging alongside other solutions, such as in-app authentication, in order to provide ubiquitous coverage. However, some banks are deploying text messaging as the only strong customer authentication solution for their customers, in order to simplify the customer experience.

What about outside the U.K.?
Elsewhere in Europe, banks are mainly concentrating on app-based solutions. I think this is for a couple of reasons. One is the delay in the European Banking Authority clarifying whether text messaging is supported, but also because not all European mobile operators have made SIM swap data available yet. This has limited the ability to tie authentication to the SIM.

So what’s next?
E.U. mobile operators are busy rolling out SIM swap and other APIs, and once they are available, this means that text messaging can be more widely used. I believe this is important, even though other solutions will already be in place. Financial inclusion and customer experience are crucial, and they will require that solutions support all users with a consistent, widely available user experience. Text messaging is still the only solution that provides that.

Mike Bradford joined Syniverse in 2010 and has developed a number new products for Syniverse’s mobile authentication, digital identity, fraud prevention, and mobile payment solutions. He has more than 30 years of experience in mobile, which has included contributions to ETSI standards, GSMA award shortlists and industry guidelines for in-app payments. Before joining Syniverse, in 2010, Mike worked across a range of organizations and industries, including T-Mobile, Neustar, BAE Defence, and NATS, and technologies including stealth, air traffic control, mobile video, and instant messaging. He holds a bachelor’s degree in electronic engineering and a master’s degree in radio frequency communications, and he is a member of the Institute of Engineering and Technology.



Submit a Comment

Your email address will not be published.