Payment Services Directive

So, Tesco was hacked. Although there is no official word yet on how this happened, the chatter among people far smarter than me are suggesting the issue is related to passwords and the Tesco Club card.

Followers of CyberMatters will recognise that I often blog about password issues. Is there anything new to say on the subject I hear you ask? Yes… 

I have been critical of “password killer” solutions in the past, for example, see We cannot let passwords die (yet), saying we needed an industry-driven initiative to make this happen.

payment-services-directive-european-commissionIs the Payment Services Directive 2 – EU Directive 2015/2366, that initiative?

It requires that by 2018 banks will need to implement stronger authentication, which it defines as:

Strong customer authentication” means “an authentication based on the use of two or more elements categorised as:  

  • knowledge (something only the user knows [for example, a password]),
  • possession (something only the user possesses [for example, a particular cell phone and number]) and 
  • inherence (something the user is [or has, for example, a finger print or iris pattern])

that are independent, the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.

Ah, I hear you say – this says we still need passwords (knowledge).

Yes, but the context is now very different; this is part of a multi-factor authentication solution. They could be the local password used to access something in your possession (phone, smart card etc.). There is no longer a need for them to be stored by companies on servers, which time and time again are broken into. They could also be one-time-passwords generated locally.

We know NIST has deprecated the use of SMS, so I am sure there will be innovative new solutions coming to market. The FIDO alliance is working on standards, and my former employer, Intercede, has an innovative solution.

Our – the industries – opportunity is to use this and kill the password once and for all.  Let’s not just roll this out to banks, let’s grab the initiative and make it mandatory everywhere. But it does have to be industry wide, otherwise the issue discussed in the post “We cannot let passwords die (yet)”, remains.