Performing Dynamic Linking – How It Can Be Done Exactly?

This article tackles the question of how to securely perform dynamic linking with the PSD2 compliance in mind. There are a few options, but not all of them are equally “good”.

12 November 2021

In our previous post we have already discussed the main points of SCA and what role dynamic linking plays in it. This time around we are going to take a more practical approach and explore different ways you can perform dynamic linking. We will take a look at 3 different methods and compare their pros and cons.  

Quick recap: How Dynamic Linking works?

In short, dynamic linking requires an “authentication code”, which is unique to each transaction, that will be linked together with the essential information about the transaction – amount and recipient of the payment – through every step of the payment and authentication process. The payer has to be aware of both the amount and recipient when authenticating the transaction. If the authentication code or any of the essential information changes during the transaction, it will fail. Now let’s talk about different ways we can do that in practice.

Push notification to the rescue

There are a few ways to effectively perform dynamic linking, one of the most common options you are certainly familiar with if you ever used any kind of mobile-banking application, is the one that relies on so-called push notification.

The main point of this process is that the essential transaction data is transferred from the “financial service server” to the mobile app using an encrypted push notification message.

In practice it would work something like this:

  1. When the transaction is initiated, the user receives a push notification message on their phone where an application from the “financial service” is installed.
  2. Once the user accepts it, the app opens and shows the essential transaction data to the user and they will be asked to verify it by providing an either PIN or with their biometrics (fingerprint, face scan…).
  3. The authentication code is calculated over the transaction data and sent back to the user.

This approach fulfills all of the dynamic linking requirements and is considerably handy.

What about QR codes?

Another practical way to implement dynamic linking would be through QR codes that are also considered quite convenient, as they do not require the user to enter any data manually during the authentication process.

Example scenario:

  1. The user enters the essential transaction data through the “financial service” application in the browser. Based on this information a QR code is generated, representing the encrypted transaction data.
  2. Next, the user scans the QR code with their mobile device, which decrypts the transaction data and shows them cleartext on the “financial service” mobile application.
  3. Once the user authenticates the transaction via PIN or biometrics, the authentication code is calculated over the transaction data and linked to it.

Quick, compliant, and certainly simple. 

Not all methods are “ideal”

As we already mentioned above, clearly there isn’t only one “right way” to conduct a dynamic linking, but some are more contested than others. A perfect example of that would be transaction authorization numbers – or simply TAN – sent by SMS. Although SMS can be enough to prove a possession and TAN can be sent together with the essential transaction details, the security of SMS messages by itself is way too low, as there are many ways they can be tampered with. This leads us back to the SCA requirement of “security measures which ensure the confidentiality, authenticity, and integrity of transaction” as stated in the Regulatory Technical Standard for PSD2, Article 5.

Final thought

We sincerely hope that this article helped you navigate around the different ways dynamic linking can be performed and made this sometimes confusing topic a little bit clearer!