Dynamic Linking in the Revised Payment Services Directive
As every merchant based in the European Union is well aware, 2021 is the year that certain provisions of the revised Payment Services Directive (PSD2) start getting enforced. Strong Customer Authentication protocols are now mandated, along with an additional requirement for payment service providers: dynamic linking.
Intended to prevent fraud and increase transparency for users, dynamic linking presents some challenges in terms of interpreting the regulations and getting a workable solution up and running. What does the PSD2 mean when it refers to dynamic linking, and how should payment service providers go about implementing it?
The PSD2 has been in effect since 2019, and the time for slow-walking compliance has long since passed—many EU member states are already able to start enforcing its mandates.
For merchants, one of the most important parts of the PSD2 is the Strong Customer Authentication mandate, which requires merchants to authenticate customers using three essential qualities: something the customer knows, something the customer possesses, and something intrinsic about the customer, like biometrics.
It sounds like a lot, but protocols like 3-D Secure are able to meet the SCA requirement. For payment services providers, however, there is the additional requirement that payment transactions are authenticated with dynamic linking.
For the most part, merchants based in the United States don’t have to worry about the PSD2 mandates, which apply only to businesses with a presence in the European Economic Area.
However, merchants who use EU-based payment processors to serve their international customers may need to be mindful that they and their partners are following the appropriate regulations where applicable.
Merchants everywhere should also keep in mind that EU regulations tend to be influential on the payments industry, and nobody should be surprised if dynamic linking eventually becomes required in other markets.
What is Dynamic Linking?
Dynamic linking refers to the process of linking payment transactions to a unique, dynamically generated code in order to ensure that no transaction details were altered during transit from the payer to the payee.
According to the text of the Regulatory Technical Standard for the PSD2, these are the specific requirements:
- The payer is made aware of the amount of the payment transaction and of the payee;
- the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;
- the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;
- any change to the amount or the payee results in the invalidation of the authentication code generated.
Additionally, the PSP is required to “adopt security measures which will ensure the confidentiality, authenticity, and integrity” of the transaction details and the authentication code.
This all means that the PSP is required to display the amount and recipient of the payment to the payer as they are authenticating their transaction, and that a dynamic code must be generated to confirm both the amount and the recipient, such that any change to the amount or payee after the transaction has been initiated will cause authentication to fail.
What is the Purpose of Dynamic Linking?
The dynamic linking process is designed to prevent Man-in-the-Middle and social engineering attacks—two very different methods of carrying out fraud.
MITM attacks are typically fairly sophisticated, as they involve hacking into an existing network in order to observe and intercept traffic. A MITM attacker could potentially gain access to a PSP’s network and alter transaction data while it’s in transit.
For example, a hacker could intercept a payment from a customer to a merchant, change the amount from $50 to $500, and change the recipient to themselves. Dynamic linking would ensure that this type of attack fails, because when the PSP verifies the details on the receiving end, the recipient and amount wouldn’t match the information in the dynamically generated authentication code.
Social engineering is a decidedly low-tech form of fraud, but it can be devastatingly effective nevertheless. It’s when fraudsters use deception, manipulation, and other person-to-person tactics to convince people to give up personal information or commit certain acts for the fraudster’s benefit.
By requiring transaction amounts and recipients to be displayed clearly at the time of authentication, dynamic linking can reduce the chances that fraud victims will approve transactions that they don’t understand.
How Can Payment Service Providers Implement Dynamic Linking?
The PSD2 mostly leaves it to businesses to figure out exactly how to implement its requirements on a practical level. While it may seem complex at first glance, there are a few relatively straightforward ways to make dynamic linking work.
Here’s what dynamic linking is supposed to look like in practice. A payer initiates a transaction through their PSP, providing the recipient and amount. The PSP then generates a dynamic code containing this information and securely transmits it back to the payer for authentication.
The payer sees the recipient and amount they were expecting and submits their approval. The PSP receives the payer’s response, verifies that the amount and recipient match what was encoded, and completes the transaction.
For providers, the main difficulty is in finding a way to provide the code to the payer in a way that meets the security requirements. This can be done with QR codes, encrypted push notifications, JSON web tokens, and other methods.
Most retail merchants won’t be directly affected by the dynamic linking requirement of the PSD2, even if they’re in the EU. However, merchants who accept payments through third-party PSPs stand to benefit from the additional security that this requirement will provide. If you’ve ever missed out on a payment because it was intercepted by a MITM attack, you have good reason to cheer on this particular mandate.
In terms of chargebacks, dynamic linking shouldn’t have much impact, but PSPs may find that a welcome side benefit of complying with the PSD2 requirements is a reduction in their fraud rates.
That is, after all, one of the primary objectives of the PSD2. While it can be labor-intensive and costly to get on board with a detailed list of new rules, every stakeholder in the payments ecosystem stands to benefit when regulators make life harder for the fraudsters who prey on consumers, merchants, and service providers.