A Legal Perspective on the Relevance of Biometric Presentation Attack Detection (PAD) for Payment Services Under PSDII and the GDPR
Payment applications turn in mass to biometric solutions to authenticate the rightful users of payment services offered electronically. This is due to the new regulatory landscape which puts considerable emphasis on the need of enhanced security for all payment services offered via internet or via other at-distance channels to guarantee the safe authentication and to reduce fraud to the maximum extent possible. The Payment Services Directive (EU) 2015/2366 (PSDII) which applies as of 13 January 2018 in the Member States introduced the concept of strong customer authentication and refers to ‘something the user is’ as authentication element. This chapter analyses this requirement of strong customer authentication for payment services offered electronically and the role of automated biometric presentation attack detection (PAD) as a security measure. PAD measures aid biometric (authentication) technology to recognize persons presenting biometric characteristics as friends or foes. We find that while PSDII remains vague about any obligation to use PAD as a specific security feature for biometric characteristics’s use for authentication, PAD re-enters the scene through the backdoor of the General Data Protection Regulation (EU) 2016/679.
This article has been made possible in part by funding received from the European Union’s 7th Framework Programme for research and innovation in the context of the EKSISTENZ project under grant agreement no 607049. The viewpoints in this article are entirely those of the author and shall not be associated with any of the aforementioned projects, persons or entities. The author nor the Commission may be held responsible for any use that may be made of the information herein contained.