How can Dynamic linking be implemented so that it ensures the security/ integrity and authenticity of the code at each stage of the authentication process?
Article 5 of the RTS describe the requirements for Dynamic Linking:<br/><br/>
"1. Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements:<br/><br/>
the payer is made aware of the amount of the payment transaction and of the payee;<br/><br/>
the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;<br/><br/>
- the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;<br/><br/>
- any change to the amount or the payee results in the invalidation of the authentication code generated.<br/><br/>
2. For the purpose of paragraph 1, payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following:<br/><br/>
a) the amount of the transaction and the payee throughout all of the phases of the authentication;<br/><br/>
b) the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code."<br/><br/>
The term “authentication code” is central here. Back in earlier payment standards this would typically be a TAN code, which perhaps was read from a piece of paper with many such codes. With PSD2 this type of system is no longer possible, as the code has to follow the transaction. This does not mean that the authentication code has to be shown to the customer, or has to be re-entered by the customer if the transaction takes place on a single device. The authentication code is simply a code which has to follow the transaction at every step.<br/><br/>
In the Strong Customer Authentication (SCA) is important that the [confidentiality], [authenticity] and [integrity] of the dynamic linking is verified for each step of the SCA process. This means that the communication from the payment service provider to the customer’s handset should be secured and authenticated, as well as the message returning the result of the authentication. In addition it is important that the actions happening on the handset is secured from malware. The PSD2 requires that the transaction authentication takes place in a [secure execution environment]. The payment service provider is also required to ensure that the payment details presented to the consumer are correct and corresponding to the authentication code. This means that the interface that is presented to the consumer for transaction validation on his/her mobile is correct and authentic, and protected against attempts to trick the consumer (e.g. by windows on top of the transaction) or modified by malware.<br/><br/>
In the case of a transaction being initiated on a PC and SCA taking place on a smartphone, there is also no requirement for the customer to re-enter any codes received on the smartphone, as a simple comparison of transaction details should be sufficient.