The Payment Services Directive (PSD2) becomes effective in January 2018, and its regulatory technical standards (RTS) on strong customer authentication and common and secure open standards of communications are scheduled to be published in September 2019 in the Official Journal of the European Union. But the requirements of the RTS will now be considered actionable by European banks and service providers 18 months after the RTS are published.
Under PSD2, simply providing a password or details shown on a credit card, will no longer suffice when making a payment in most situations. In certain cases, a code that is only valid for a given transaction will be needed, together with two independent elements—which could be a physical item, for example a mobile phone, as well as a password or a biometric feature, such as fingerprints—before making a payment.
Payment service providers may be exempted if they have developed ways of assessing the risks of transactions and can identify fraudulent transactions. Exemptions may also apply to contactless payments, transactions for small amounts and certain types of payments such as urban transport fares or parking fees.
The practice of third-party access without identification to payment account information, known as “screen scraping,” will also be banned under the new rules and replaced by new interfaces to be provided by banks. Payment service providers, including banks, will have to define transparent key performance indicators and service-level targets for such interfaces, and they will be expected to be “at least as stringent as those for the interface used for their payment service users.” The European Commission (EC) has stated that all communication interfaces, whether dedicated or not, will be subject to a “prototype” test for three months and a “live” test in market conditions for a further three months.
The EC is promoting the establishment of a market group—composed of representatives from banks, payment initiation and account information service providers—and payment service users to review the quality of bank interfaces for customer data sharing. Banks that fail to satisfy those requirements will have to provide contingency measures for third parties to gain unrestricted rights to “screen scrape” the bank account as provided for in PSD2. This compromise amendment has been welcomed by start-up campaigning groups.
The European Parliament and the Council now have three months to scrutinize the RTS before they become applicable under PSD2.