1. Introduction: PSD3 / PSR Passkey Implications

2. PSD3 and PSR: Public consultation as starting process

   2.1 What's the Difference between a EU Directive and a Regulation?

   2.2 What's the Current Status of PSD3 / PSR?

3. What Changes will PSD3 / PSR Introduce for SCA?

   3.1 What are the Most Important Inputs to the Upcoming PSD3 / PSR?

   3.2 Increased Complexity and Friction from Current SCA Implementations

   3.3 Technological Prescription and Its Impact on Innovation in SCA

4. What are the Implications of PSD3 / PSR on Passkey Authentication?

   4.1 Is Outsourcing or Delegation of Authentication Allowed?

   4.2 Is it Allowed to Use Biometric Sensors in Smartphones?

   4.3 Are Passkeys Mentioned in PSD3/PSR?

5. Conclusion

To address the advance of technology and further improve PSD2, the EU started a public consultation process in 2022 as basis for revision. The first results have shown that over 60% of the survey participants see "Regulatory uncertainty” and “Lack of standards as the main challenges in implementing SCA.

That’s also what we have seen in the first three articles (part 1, part 2 & part 3) of our series: it’s really a nuanced process to navigate the regulations and that the lack of up-to-date standards leads to a lot of regulatory uncertainty with regards to what encompasses SCA-compliant authentication. In our last part of the series, we will take a look at the latest public available information regarding upcoming the PSD3 / PSR standard.

As the European Union seeks to enhance, adjust, and transition from the Payment Services Directive (PSD2) to its successor, a bigger regulatory evolution is underway. The source of this change stems from the need to address emerging challenges and opportunities in the digital payments landscape, such as increased digital transactions, security concerns, and the rise of technological innovations. To better meet these challenges, the forthcoming PSD3 will be introduced as a Payment Services Regulation (PSR), rather than a directive.

The transition from a directive to a regulation is a big step. Regulations are directly applicable and take effect across all member states simultaneously, ensuring uniform implementation without the discrepancies that can arise from national interpretations under a directive. This approach aims to create a harmonized regulatory environment across Europe..

The current phase of the PSD3/PSR process involves ongoing public consultation. This allows stakeholders – including banks, payment service providers, consumer advocacy groups, and technology companies – to influence the draft by providing feedback and suggesting improvements. Public consultations play a vital role in shaping the regulation to be as effective and inclusive as possible, taking into account the diverse interests and concerns of all parties involved. Key players from various sectors have already participated in the consultation, sharing insights and highlighting potential impacts of the new regulation.

Broadly, the changes aim to enhance the

• security,
• efficiency, and
• inclusivity

of payment services, thereby responding to the advancements and the increasing frequency of digital transactions. The introduction of PSD3 / PSR is also expected to

• improve transparency,
• extend consumer protections, and
• promote competitive equality

across the market. This includes better access for non-bank payment service providers (PSPs) to payment systems and financial infrastructures, which should help level the playing field between traditional banks and newer financial service providers.

In the following, we have listed the most important input sources:

• Public consultation pages: The EU provides a summary page and also the actual, underlying inputs
• EBA Input: Opinion of the European Banking Authority on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2)
• Independent report by the European Commission: A study on the application and impact of Directive (EU) 2015/2366 on Payment Services

There is considerable input which discusses various topics, but when specifically talking SCA, PSD3 / PSR aims to improve and broaden the security measures. SCA has been crucial in lowering payment fraud by needing multiple factors to verify a user's identity for electronic payments. However, as security risks and technology change, there have been some weaknesses in SCA under PSD2.

PSD3/PSR aims to address these by introducing clearer rules on when and how SCA should be applied, ensuring that exemptions are appropriately tightened or expanded based on risk assessments and transaction contexts. For instance, there is an emphasis on improving the integration of SCA protocols into newer technologies such as digital wallets and biometrics, which are becoming more important in consumer transactions.

Furthermore, the new regulation will clarify the responsibilities of PSPs in implementing SCA, ensuring that these measures are both effective against fraud and user-friendly, thus not impeding the user experience. Enhanced SCA measures under PSD3 / PSR are expected to improve the security of online payments, while also adapting to and embracing innovations that can provide consumers with safer, more seamless payment interactions.

SCA has introduced more complex steps into daily payment activities, particularly affecting the ease with which payment transactions are initiated. For example, when using a Payment Initiation Service Provider (PISP), such as Stripe, for online payments, customers often have to start the transaction through the PISP's application and then switch to their bank’s application, provided by the Account Servicing Payment Service Provider (ASPSP), such as big banks like HSBC, Chase Bank or Barclays, to authenticate themselves. This multi-step process adds layers of complexity and negatively impacts conversion rates, although the overall impact on transaction abandonment varies. Specific data provided by some industry representatives indicates an average drop-off rate of 20% when SCA is in place, highlighting significant concerns regarding the implementation of SCA.

Conversely, in regions like Sweden and the Netherlands where two-factor authentication was already a standard practice, such declines were not evident. In countries like France, Germany, and Spain, where such practices were less common, the rate of incomplete or abandoned payments has increased.

Stakeholders have expressed concerns that the inherent friction required by SCA can be challenging to align with the seamless user experience expected in modern payment methods like digital wallets and account-to-account services (e.g., Apple Pay), leading some users to opt for less regulated, more user-friendly payment alternatives.

From the perspective of numerous stakeholders in the industry SCA has been seen as a hurdle to innovation, primarily due to its rigid and specific technological requirements. Industry insiders have raised concerns over the SCA's requirements that enforce active authentication methods, necessitating direct user involvement. This mandated approach restricts the adoption of smoother alternatives like Apple Pay and Google Pay, which may be preferred by many users. Moreover some providers have questioned the requirement that the two factors in the authentication process must come from different categories, proposing that secure authentication could still be achieved with factors from a single category (see also our article on 2SV vs 2FA).

The current strict guidelines are viewed as obstacles to embracing newer, potentially more secure and less pushy authentication technologies such as behavioral biometrics, artificial intelligence, and machine learning. These technologies promise enhanced detection of fraudulent activities and deeper insights into customer behaviors through methods such as analyzing historical data patterns and detecting proxies. The industry broadly defines biometrics to include both physical traits like fingerprints or facial recognition and behavioral characteristics. This broader definition stands in contrast to the European Banking Authority’s (EBA) narrower interpretation, which limits biometrics to physical characteristics only.

This limitation on biometric technology has sparked an intensive debate. Proponents of including behavioral biometrics say that it would lead to authentication processes that are not only more secure but also more user-friendly. A leading payment network strongly advocates for the integration of behavioral biometrics with one-time passwords (OTP), highlighting several benefits. This combination is noted for its higher precision in identifying novel fraud types, such as those stemming from social engineering, and its increased security due to the difficulty of duplicating the data involved.

Additionally, these technologies do not necessitate specialized biometric hardware, making them more accessible and inclusive. Advocates argue that such innovations could greatly decrease the rates of transaction failures and abandonments, offering significant advantages to both consumers and merchants.

In the following section, we have selected parts of the ongoing discussions that seemed relevant to passkey authentication.

The delegation and outsourcing of SCA under the proposed PSR framework is recognized as essential to allowing the development of innovative security solutions. This approach allows payment service providers (PSPs) to utilize advanced authentication methods developed by third parties, which can lead to significant improvements in security.

However, there are considerations regarding the complexity and regulatory requirements that come with such outsourcing arrangements. Service provider have expressed concerns that mandating outsourcing agreements for all third-party SCA methods could disproportionately affect the competitive landscape. This requirement might pose significant challenges for smaller players in the market, potentially hindering their ability to introduce innovative SCA methods due to the complexities and costs associated with formal outsourcing agreements. Such regulatory barriers could prevent innovation and create competitive disadvantages.

To address these challenges, it is proposed that only scenarios where the payer’s PSP does not retain control over the SCA process should be classified as outsourcing (e.g. managed instances where there is no control over architecture and storage decisions) . This would mean that any authentication model where the payer’s PSP maintains control over the SCA should not be considered as delegation and, therefore, should not be subjected to the stringent outsourcing requirements.

With passkeys created under the relying party ID of the PSP the control of the authentication is easily maintained, because the credential can only be used on the page of the PSP therefore it could be easier to explain how control could be retained in case of delegating passkeys authentication to a third-party.

The European Banking Authority (EBA) has addressed the use of third-party technology in SCA, particularly focusing on biometric sensors such as fingerprint and retina readers integrated into smartphones. This guidance highlights that PSPs can utilize these biometric capabilities as part of their SCA implementations, provided they ensure these technologies meet the required security standards.

Specifically, the EBA clarifies that while PSPs can leverage biometric sensors provided by smartphone manufacturers, they must verify that these technologies adhere to the security measures established in the delegated regulation of PSD2. This includes ensuring that the smartphone itself has a satisfactory level of security, that measures are in place to maintain the independence of authentication elements, and that these security measures are well-documented, regularly tested, evaluated, and audited.

This approach acknowledges a reality in modern digital transactions: even though there is no direct contractual relationship between PSPs and smartphone manufacturers, the security protocols implemented by manufacturers can be seen as reliable. The assumption is that as long as the smartphone manufacturer has taken the necessary precautions to ensure the security of the biometric sensors, these can be safely incorporated into the SCA processes of financial transactions. This perspective supports a more integrated and user-friendly approach to authentication, enhancing both security and convenience without compromising the integrity of the payment services.

For passkeys, that is interesting as the biometric scanners used are always part of the operating system the user is on and therefore would be out of scope regarding compliance considerations (i.e., it's not necessary to worry about SCA compliance, because contractual arrangement with the device providers would be unfeasible and security of those scanners are widely documented).

Passkeys are not addressed explicitly in any of the previous documents, likely because they are a relatively new technology that hasn't been thoroughly discussed in existing literature. While the risk of phishing is frequently referenced, the susceptibility of various authentication factors to phishing attacks isn't explicitly discussed. Instead, this risk is only implicitly acknowledged through the listing of security requirements.

To conclude, the anticipated PSD3 / PSR presents an improvement refining the regulatory landscape of digital payment services across the European Union. By transitioning from a directive to a regulation, PSD3 / PSR promises an implementation that could address current challenges in the digital payments sector, particularly the complexities and security concerns introduced by the SCA requirements under PSD2.

The ongoing public consultation process represents an essential step in this regulatory evolution, ensuring that the perspectives and insights from a diverse group of stakeholders are considered. This could lead to the adoption of more user-friendly authentication methods, such as behavioral biometrics or passkeys.

Based on these findings, it’s obvious that passkeys play a crucial role in the future of digital authentication. Their robust security and inherent resistance to phishing attacks align with the objectives of PSD3 / PSR to provide a safer and more efficient digital payments ecosystem. Although not explicitly mentioned in the current drafts or consultations, it is very likely that passkeys will be integrated into the regulatory framework as a compliant authentication mechanism. If not today as device-bound or synced passkeys, maybe in the future, when the WebAuthn Standard Level 3 is released with supplementalPubKeys support..

As a company that is committed to the integration of passkeys, we want to provide timely updates on regulatory changes and offer support to organizations navigating the adoption of passkeys in alignment with the upcoming PSD3 / PSR standards wherever we can. Feel free to contact us, join our passkeys community on Slack or subscribe to our Passkeys Substack.

Here are the links to the other parts of our series:

• Part 1 “Device-Bound vs. Synced Passkeys (SCA & Passkeys I)"
• Part 2 "Analysis of PSD2 & SCA Requirements (SCA & Passkeys II)"
• Part 3 "What SCA Requirements Mean for Passkeys (SCA & Passkeys III)"