New PSD2 Regulatory Technical Standards – The Essentials for Payments and Financial Services Providers

December 21, 2017

On November, 27 the European Commission adopted rules that will make electronic payments – both offline at stores and online – safer and allow consumers to access more convenient, cost-effective and innovative solutions offered by payment providers.

According to Valdis Dombrovskis, Vice-President in charge of Financial Stability, Financial Services and Capital Markets Union, "These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security."

Under the revised rules, the simple provision of a password or details shown on a credit card will, in most situations, no longer be sufficient to make a payment. As a matter of fact, these rules implement the EU's recently-revised Payment Services Directive (PSD2) which aims to modernise Europe's payment services through more, healthier competition and safer, more convenient experiences for consumers.

Security was indeed the core theme of the just issued Regulatory Technical Standards or RTS.

A key objective of PSD2 is to increase the level of security and confidence of electronic payment. To fulfill this goal, PSD2 requires payment service providers to develop strong customer authentication (SCA).

The newly issued rules incorporate stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users' financial data, especially relevant for online payments.

How Payments Companies Need To Implement Strong Customer Authentication, In Practice?

From now on, payments companies and financial services providers are required to verify the identity of their customers through a combination of at least two independent elements, which could be a physical item – an identity document, card or mobile phone - combined with a password or a biometric feature, such as selfies or fingerprints before making a payment.

PSD2 also establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. These services are already on offer in many EU countries but after PSD2 is fully implemented, they will be available to consumers across the EU, subject to strict security requirements.

In certain cases, explain the European Commission, a code that is only valid for a given transaction will be needed together with two independent elements, which could be a physical item - a card or mobile phone - combined with a password or a biometric feature, such as photo or fingerprints before making a payment.      

The rules also specify the obligations of banks for the provision of third party account information tools. According to the RTS, screen-scraping of account data from bank Web sites will be off-the-table and replaced by new interfaces provided by banks.

Who Will Be Affected By The New PSD2 Regulatory Technical Standards?

The reviewed regulatory framework expands the scope to include two new types of payment services, the so-called payment initiation services, and the account information services.

As of January 2018, banks and other payment services providers will have to put in place the necessary infrastructure for strong customer authentication (SCA.) They will also have to improve fraud management.

Meanwhile, consumers and merchants will have to be equipped and trained to be able to operate in an SCA environment.

Although heavily focused on consumer payments, the PSD2 RTS also cater for corporate payments, outlining applicable security measures of payments that are carried out in batches.

Likewise, these new rules also take into account host-to-host machine communication, where for example the IT system of a company communicates with the IT system of a bank to send messages for paying invoices. Security mechanisms for this type of communication systems can be as effective as strong customer authentication. As such, they can benefit from an exemption from the SCA, if this is approved by national supervisors.

When Will These New Identity Verification Rules for Payments Start Applying?

Following the adoption of the Regulatory Technical Standards by the Commission, the European Parliament and the Council have three months to scrutinise them.

Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. Banks and other payment services providers will then have 18 months to put the security measures and communication tools in place.

Learn more about the evolution of PSD2 and its requirements for secure and convenient customer identification with this visual PSD2 timeline.