The Display-TAN method is fully PSD2-compliant:
- 1. Element Possession. The Display-TAN card represents an element possession according to the definiton von SCA (Strong Customer Authentication).
- PSD2 Art. 4(30): ''(The element possession) is designed in such a way as to protect the confidentiality of the authentication data.''
- 2. Independence of the 2 Elements. The second element is the online password which is entered on the user's end-device. Because the Display-TAN card and the end-device are two different devices, the independence of the 2 elements is guaranteed.
- PSD2 Art. 4(30): ''(The two elements) are independent, in that the breach of one does not compromise the reliability of the others.''
- 3. Dynamic Linking. Payee and Amount are part of the input of the authentication code generation of the Display-TAN card, i.e. the dynamic linking requirement is fulfilled.
- PSD2, Art. 97(2): ''The elements dynamically link the transaction to a specific amount and a specific payee.''
- 4. Unique Authentication Codes. Because also a nonce is a part of the input for the Display-TAN authentication code generation, a generated authentication code cannot be used for another money transfer.
- Final Draft of RTS, Art. 4.2(b): ''It is not possible to generate a new authentication code based on the knowledge of any other authentication code previously generated.''
- 5. Secure Visualisation. The display on the Display-TAN card guarantees that the authorized money transfer is the one which the payer agrees to.
- Final Draft of RTS, Art. 5.2(b): ''The confidentiality, authenticity and integrity of the information displayed to the payer is ensured through all phases of authentication.''
- 6. Protected Data. With Version 2 of Display-TAN, all data transmitted to the card via Bluetooth are encrypted with the individual key of the card.
- Final Draft of RTS, Art. 4.3(c): ''The communication sessions are protected against the capture of authentication data transmitted during the authentication.''
- 7. X2A Compatibility. Display-TAN will be compatible to any version of an PSD2-X2A (Access to Account) API for PISP's.
Without doubt, each of these PSD2 requirements is fulfilled by Display-TAN. No ''interpretation'' (against the letters and the spirit of PSD2) is necessary, like it is for example for App-TAN concerning the requirements 1, 2, 5, and 6.
Besides these PSD2 requirements, the Display-TAN method also fulfills the following requirements:
- 8. Segregated Channels. Display-TAN fulfills the requirement ''segregated channels'' of the Consultation Paper, Art. 2.2.(b). This requirement does no longer appear in the Final Draft RTS. In Germany, though, there still is a valid requirement for channel segregation, see link below.
- 9. Proof of User Confirmation. With Display-TAN the bank can proof that the customer has seen and confirmed the transaction data. With SMS-TAN and App-TAN it could be the case that a trojan did execute a transaction in a secret fashion, without customer involvement. In case of a fraud - especially in case of a Friendly Fraud - this should be a crucial difference concerning the legal situation of the bank. See below the recent decision of the Highest German Court concerning a potential Friendly Fraud (238,000 Euro with SMS-TAN).
Oct. 2015, EC: PSD2
Aug. 2016, EBA: Consultation Paper RTS for PSD2
Feb. 2017, EBA: Final Draft RTS for PSD2
May 2017, EU Commission: Revised RTS for PSD2
Apr. 2008, DK (Germany): Requirement Channel Segregation
Jan. 2016, BGH (Germany): Court Decision XI ZR 91/14
Display-TAN: What is Friendly Fraud?