Are You Ready for Strong Customer Authentication?

hands using laptop and holding credit card with "Secure payment" on the screen as Online shopping concept

Now that the revised Payment Services Directive (PSD2) has been finalized, issues of transposition will come to the fore. This is because the PSD2 is expected to enter into force in January 2016 and to apply from January 2018.

One of the central issues of transposition will be that of internet payments security. The PSD2 introduced the mandatory use of strong customer authentication as part of the services provided by PSPs. It also indicates that that a PSP would be liable if an unauthorized transaction occurs in the event that strong customer authentication was not offered.

“Strong customer authentication” is defined as, “an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

EBA Guidelines

In anticipation of this PSD2 obligation, in December 2014, the European Banking Authority (EBA) issued Guidelines on the Security of Internet Payments. The Guidelines provide further detail that the PSD2 did not delve into, especially with regard to the technical requirements to provide and support strong customer authentication. The EBA also sought to obtain confirmation from the competent authorities of the EU Member States that the licensed entities are compliant with the requirements contained in the Guidelines. In fact the MFSA issued a Financial Institution Rule (FIR/04) based on these Guidelines along with a questionnaire to be filled out to ensure such compliance.

In December 2015 the EBA issued a Discussion Paper in order to start gathering feedback for the draft of the Regulatory Technical Standards (RTS) on strong customer authentication and secure communication. This RTS seems to be a sequel to the Guidelines issued a year earlier. However, this new RTS seems to be more than just a set of requirements; it seems to be the result of feedback received in relation to the Guidelines.

Industry Resistance

This RTS would form part of the intended set of the six RTSs and five sets of Guidelines to be provided by the EBA, as mandated by the PSD2. However, the Discussion Paper implies that the increased security measures, while being beneficial to consumers as well as businesses, seems to have come across resistance from the industry. In fact, in the press release announcing the Discussion Paper, it was noted that, “the EBA and ECB will have to make difficult trade-offs between competing demands and would like to hear views from market participants on where the ideal balance should lie.”

Actually, the Discussion Paper contains a section on possible exemptions to the strong customer authentication requirement, which the EBA is suggesting would be determined by risk-based criteria (e.g. low-value payments, recurring payments, etc.). Such exemptions are already contained in the PSD2– however the EBA is seeking to clarify these exemptions.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said:

This is an early step in the development of some crucially important standards that the EBA is responsible for. These standards will define how core objectives of PSD2 will be met, operationally.

Given that the EBA has the challenge of balancing input from across the EU, it will be influenced by regions and market segments with widely differing payment cultures and propositions. So, businesses need to speak up, engage with the EBA, or risk being tied to standards that inhibit or expose them.

  •  
  •  
  •  
  •  
About Rachel Gauci

Rachel Gauci serves as Legal Counsel for Credorax, forming part of the legal team in the Malta office. She has over 3 years of experience in payment services legislation and anti-money laundering law.

Adv. Gauci holds a law degree from the University of Malta. Credorax, was the subject of the case study in her doctoral dissertation entitled, 'A Critical Analysis of the Payment Services Directive and its Practical Application'.

Prior to her role as Legal Counsel, Rachel was a Compliance Officer and an Anti-Money Laundering Legal Officer at Credorax.
Rachel provides legal advice on licensing requirements, contract negotiations, and any other ancillary issues concerning merchants, as well as legal advice concerning Credorax's core regulatory issues.
Connect with her: LinkedIn