The MIDAS Alliance came into being to help industry understand how to maintain compliance in the face of emerging legislation, notably the revised Payments Services Directive (PSD2), the Electronic Identity, Authentication, Signatures Regulation (eIDAS), and the General Data Protection Regulation. To this end the MIDAS Alliance’s key aim is to develop and promote a standard for digital identification and authentication of individuals and organisations to enable them to trust each other’s digital identity, and to manage this is a secure manner.
The MIDAS Alliance are developing the standard under the auspices of the British Standards Institution, as a Publicly Available Specification (PAS499) Code of Practice link.
The MIDAS Alliance has been established to expand on the minimum definition of “Secure authentication” within PSD2, including all aspects of KYC and AML, in order to create a secure authentication management standard that meets the needs of all the disparate legislation and regulations domestically and for international application.
The MIDAS Alliance is a global membership organisation that represents a number of stakeholders in the information security community that encompasses Banking and Financial Services, Retailers, Governments, Healthcare, Telecoms and the Insurance industry.
The MIDAS Alliance is the only organisation working to define the standard for Digital Identification and Authentication across all business sectors.
The MIDAS Alliance has been recognised by the UK Payments Service Regulator (PSR) who announced in their report “Payments Strategy for the 21stCentury” 2016 that they will align with the MIDAS Alliance’s standards within 2017, alongside other industry initiatives and Government.
The MIDAS Alliance is currently developing a standard entitled “Digital identification and authentication, Code of Practice” with the British Standards Institute PAS499, which provides a management standard that aligns with relevant regulations, legislation and other standards.
Discussions on the need for co-ordination through a formal standards body began in August 2015, and in May 2016 the BSI agreed to a working title of “Enhanced Identity and authentication online” and the number PAS499.
A steering group was formed to help define the outline of the standard (the scope) which was made up of representatives from the Government, Retail banks, Investment banks, Data providers, Privacy groups, Technology providers, and Retailers.
The first meeting of the steering group took place in September 2016 where the definition of what the standard would like was discussed. At the Steering Group the title was amended to “Digital identification and authentication”., and it was agreed that the PAS should proceed as a Code of Practice in the first instance, prior to consideration towards certification. The full definition of the scope can be read HERE.
Following the inclusion of the MIDAS Alliance within the UK Payment Strategy recommendation for Guidelines on Identification, Verification, Authentication and Risk Assessment,, and the publication of European Banking Authority Regulatory Technical Standard for Strong Customer Authentication, the standard has therefore become more expansive as these relationships develop.
The standard will be developed during 2017, including:
With the increasing speed of developments of new technology it is essential for organisations to understand which technology will meet the requirements of individual standards in helping to create stronger online authentication that are outlined in the aforementioned regulations.
By becoming a member of the MIDAS Alliance, it will help your organisation understand and contribute to the technology solutions and processes that meet the exacting requirements of PSD2, GDPR, eIDAS and MIDAS (PAS499).
By joining the Alliance you will get access to the workshops and discussion groups helping to create a standard that will help your organisation manage the evolution to support trusted authentication and meet the needs of the forthcoming requirements.
The challenges for retailers from PSD2 and GDPR
Retailers, especially those selling on the Internet have fought hard to balance the competing demands of fraud prevention and customer experience. This has seen so-called cart abandonment drop in recent years as merchants choose when to use technologies like 3DSecure.
In order to comply with the second Payment Services Directive (PSD2), PCI DSS and the and retailers must now be meticulous when it comes to data management. When the regulations pass into law in 2018, retailers must decide which customer data is worth holding as any data breaches could result in fines of 4% of their global turnover.
The regulations give far more power to individuals, allowing them to have more access to their data, as well as the right to know how their data is being processed. Retailers will also have to notify the national supervisory authority in the event of a data breach, in order for users to take appropriate measures. Stringent breach reporting obligations also mean that organisations must have effective monitoring framework for assessing and improving processes.
The increased emphasis on data governance for merchants is the highest it has ever been, owing to the increased amounts of data available and pressures on legislative bodies to ensure the privacy rights of individuals. Many understand the value it has for them and are busy trying to decipher how they can best extract that value. The problem is, many don’t have the experience or tools to process and handle these increased volumes of data and will likely have to consider moving from old payment infrastructure to modern payments systems capable of handling the rigorous demands placed upon them by the new data laws.
The MIDAS Alliance will help retailers clarify which parts of PSD2 and GDPR they have to comply with and how much change will be required to conform to these new pieces of regulation.
All organisations which provide payment services in Europe will have to comply with the rules of the second Payment Services Directive (PSD2) and General Data Protection Regulation (GDPR). This will lead to one of the greatest upheavals in banking transformation for a generation.
Under the rules of PSD2, not only will all future customers, but also every single existing customer will have to be strongly authenticated whenever they make a payment or use a remote banking service.
How payment service providers hope to meet this fundamental change is the essence of the of the MIDAS Alliance standard. PAS499 outlines the management standards required to achieve such a transformation.
Deadline for EBA guidelines concerning the information to be provided in an application for the authorisation of payment institutions, under Article 5.
Deadline for EBA draft implementing technical standards on the information to be provided by competent authorities to the EBA for the register, under Article 15.
Deadline for EBA’s guidelines concerning the establishment, implementation and monitoring of the security measures, including certification processes, in relation to operational and security risks under Article 95
Member states to adopt and publish implementing laws, regulations and administrative provisions necessary for compliance, and notify the Commission and EBA of competent authorities.
Deadline for payment institutions to comply with Title II requirements.
Autumn 2018 – Expected date EBA SCA RTS and security measures (as set out in Article 155) will apply.