On January 13, 2018, the Second Payment Services Directive (PSD2) will enter into force, which also introduces higher security standards for online payments. In order to clarify the requirements associated with the implementation of PSD2, the European Commission was authorized to adopt Regulatory Technical Standards (RTS). After controversial discussions about the design of these RTS in recent months, the European Commission has now handed over the final RTS relating to Strong Customer Authentication and Common and Secure Communication to the European Parliament for approval on November 27, 2017. Based on the RTS history, it can be expected that the final version will be released within the next three months. In this case, the relevant payment service providers have 18 months after the entry into force of the RTS to implement the relevant requirements. These include requirements for strong customer authentication and customer interfaces.
1. Strong customer authentication
According to PSD2, certain payments and account accesses will require strong customer authentication in the future, i.e., customer authentication using at least two factors from the categories of something they know (e.g., PIN code), something they own (e.g., a card), and something they are (e.g., fingerprint). Previously granted exceptions for contactless payments and low-value transactions (e.g., no 2-factor authentication for amounts less than 30 euros) have now been further extended in the final draft of the RTS by not requiring 2-factor authentication for certain B2B transactions. This concerns electronic payment transactions based on payment methods commonly used by companies where no individual authentication is performed. These payment methods, however, must meet the high level of security required by PSD2.
2. Requirements for communication interfaces: The end of screen scraping?
According to PSD2, third-party service providers – meaning payment initiation or account information service providers – have the right to access a customer’s payment account information at the credit institution holding the account upon instructions of the customer. Once the 18-month transition period has expired, however, this is no longer possible without identification (“screen scraping”). In the future, access will only be allowed via a dedicated interface or the interface used by the customers of the account-holding credit institution, where the interface use is linked to specific requirements, e.g., the recording of retrieved data and, if necessary, passing on data to the competent authorities.
When using a dedicated interface, however, the earlier RTS draft had already provided for the availability of a “fallback solution” by the payment service provider (use of the customer interface or a second dedicated interface) to ensure the constant availability of the payment initiation and account information services. In view of the European Banking Authority’s concerns on this issue, however, the final RTS draft now provides for an exemption where no fallback solution is required if the dedicated interface used has been sufficiently tested under market conditions and meets all the requirements of the RTS.
Payment service providers affected by PSD2 (credit institutions, electronic money institutions or third-party service providers) are advised to use the transitional period of 18 months following the entry into force of the RTS to check which requirements of the RTS for Strong Customer Authentication and Common and Secure Communication could lead to a need to adjust internal and external structures and processes. This also raises the question of whether and to what extent the exemptions provided for in the RTS may be used.