Last Thursday, on October 8th, the European Parliament adopted the revised Directive on Payment Services, also known as PSD2. The new directive, which is the long awaited successor of the first Payment Services Directive from 2007, aims to harmonize the European retail payments market, which is very much fragmented along national borders, and foster the adoption of innovative, easy-to-use and secure payment schemes.
In this article I will provide an overview of the requirements of PSD2 regarding the authentication of consumers involved in a payment, which was a topic generating lots of discussions among members of the European Parliament during the past years.
What happened previously
PSD2 is the latest development in a series of European regulatory initiatives aimed at securing Internet payments. These initiatives aim to combat Card-Not-Present (CNP) fraud and increase the confidence of European citizens regarding e-commerce and other online activities.
In January 2013, the SecuRe Pay forum of the European Central Bank (ECB) published its final recommendations for the security of Internet payments. In February 2014, SecuRe Pay also published an assessment guide to help regulatory authorities apply the ECB’s recommendations.
In order to provide a more solid legal basis to the ECB’s recommendations, in December 2014 the European Banking Authority (EBA) published its final guidelines on the security of Internet payments, which are almost identical to the ECB’s recommendations. Since the negotiations for the PSD2 were still ongoing a two-step approach was chosen for the implementation of the EBA guidelines: immediate implementation as of August 1st 2015, followed by an upgrade with the more stringent regulations derived from the PSD2. On May 21st 2015, the EBA published the list of European national authorities that intended to enforce the guidelines.
Strong customer authentication under PSD2
PSD2 uses the same definition of “strong customer authentication” as the EBA guidelines, which is based on the traditional concept of two-factor authentication. “Strong customer authentication” is defined as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
Under article 97(1) of PSD2, Payment Service Providers (PSPs) must apply “strong customer authentication where the payer:(a) accesses its payment account online; (b) initiates an electronic payment transaction; [or] (c) carries out any action, through a remote channel, which may imply a risk of payment fraud or other abuses”.
So far this is very similar to the EBA guidelines. However, article 97(2) of PSD2 goes a step further for “electronic remote payment transactions”, which includes all transactions over the Internet. For such transactions, Payment Service Providers must apply strong customer authentication that includes “elements which dynamically link the transaction to a specific amount and a specific payee”. This could also be referred to as strong payment authentication.
Draft regulatory technical standards will be developed by the EBA and submitted to the European Commission that will specify:
“(a) the requirements of the strong customer authentication;
(b) the exemptions to the application of [strong customer authentication];
(c) the requirements with which security measures have to comply […] in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials; and
(d) the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for implementation of security measures […]”.
Implementation of PSD2
Following the European Parliament’s vote, PSD2 still needs to be formally adopted by the EU Council of Ministers, which will happen in late 2015. Afterwards the Directive will be published in the Official Journal of the EU. EU Member States will then have two years to introduce the necessary changes in their national laws in order to comply with the new rules. Hence PSD2 is expected to come into effect in late 2017.
However, a different adoption schedule applies to the requirements regarding strong customer authentication. PSD2 tasks the EBA with the development of technical standards for strong customer authentication. The EBA must submit the draft technical standards to the European Commission not later than 12 months after PSD2 comes into effect. The standards will come into effect 18 months after their adoption by the European Commission. As a consequence, the standards for strong customer authentication will come into effect about 30 months or 2.5 years after PSD2, hence in late 2020.
The EBA guidelines remain applicable as an interim solution, until PSD2 comes into effect.
The arrival of PSD2 is good news for the harmonization of Internet payment security across Europe. Contrary to the EBA guidelines, national regulatory authorities cannot opt out from PSD2, as it will be translated into national law by the EU Member States. This means also countries such as the UK, who opted out from the EBA guidelines, will be subject to PSD2 and its requirements regarding strong customer authentication.
Strong customer authentication is an important component of the new retail payment market envisioned by the European legislators. Although strong payment authentication is already common practice in online banking services in many European countries, it may present a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants. Hence e-commerce merchants will need to find secure but also convenient authentication mechanisms.
More details about the precise requirements and standards regarding strong customer authentication can be expected in 3 to 4.5 years. Taking into account that Payment Service Providers in most EU Member States already have to comply with the very similar EBA guidelines since August 1st of this year, this additional guidance seems to come rather late.
Finally, it remains to be seen how PSD2, which heavily focuses on the authentication aspects of payments, will integrate with the EBA guidelines. The security requirements put forth in the EBA guidelines have a broader scope than authentication, and also focus on security requirements such as the need for transaction monitoring and customer education.