Article written by OneSpan Inc., a global leader in software for trusted identities, e-signatures and secure transactions. More than half of the world’s top 100 global banks trust OneSpan to keep their customers and transactions safe. OneSpan is one of the main partners of Banking 4.0 – international fintech conference.
Raiffeisen Italy is the umbrella organization for 40 entities of Raiffeisen Bank in the Italian province of South Tyrol. Overseeing the IT services for these member banks, Raiffeisen Information System CIO Alexander Kiesswetter modernized Raiffeisen Italy’s authentication system to comply with the revised Payment Services Directive (PSD2). As part of that initiative, Raiffeisen Italy introduced a standalone mobile app that authenticates and secures users – built using the OneSpan Mobile Security Suite and white-labeled with the Raiffeisen brand.
While PSD2 compliance was the main driver, the rapid adoption of digital and mobile banking made it important for Raiffeisen Italy to offer both strong security and an easier user experience. Simply put, customers no longer want to pull out their bank card and hardware token for every small transaction – preferring instead to authenticate through their mobile device.
“Mobile-first is an important part of our digital transformation strategy. For the first time, we have a solution that enables us to move services completely to the smartphone without using other hardware tools for the authentication. Now, we can use not only the PIN for the authentication, but also Face ID and Touch ID,” Alexander Kiesswetter says.
PSD2 Compliance Requirements
As the CIO, Alexander Kiesswetter faced two challenges: PSD2 compliance and a legacy authentication system that customers found difficult to use.
PSD2 compliance is a key priority for financial institutions (FIs) across Europe. FIs need to comply with the requirements for Strong Customer Authentication and Transaction Risk Analysis. In addition, Raiffeisen Italy had to meet two other PSD2 requirements:
Dynamic Linking: For remote payment transactions, PSD2 requires that FIs apply authentication that dynamically links the transaction to a specific amount and payee. Throughout the authentication process, the confidentiality, integrity, and authenticity of payment information needs to be protected, and the user must be made aware of the amount and the payee.
Replication Protection: If a bank chooses to use a mobile app as a part of their authentication flows, they must take action to mitigate the risk of an attacker reverse engineering the app to uncover and potentially reproduce the token secret used to generate an authentication code. Therefore, FIs have to protect the possession element (in this case, the app) against cloning.
Further, the bank wanted to provide an easier authentication experience for customers. The problem was, they found themselves in the conventional tug-of-war between security and ease of use – with security winning at the expense of customer experience. While their legacy authentication system was very secure, customers complained it was burdensome.
“Until we started using OneSpan, our attention was focused on security. That’s why we used separate hardware tokens with bank cards, because we weren’t convinced that an alternative would give us enough security,” says Kiesswetter…