On February 23, 2017, the EBA published final draft RTS on the requirements of strong customer authentication and secure communication under the revised Payment Services Directive (known as PSD2). PSD2, which will apply from January 13, 2018, requires payment service providers to apply strong customer authentication measures where the payer accesses its payment account online, initiates an electronic payment transaction or carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses.
The final draft RTS supplement PSD2 with requirements for: (i) strong customer authentication; (ii) exemptions from the authentication requirements depending on: the level of risk involved in the service provided, the amount, the recurrence of the transaction, or both or the payment channel used for the execution of the transaction; (iii) security measures to protect the confidentiality and the integrity of payment service users' personalized security credentials; and (iv) common and secure open standards of communication between account servicing payment service providers, Payment Initiation Services providers, Account Information Services providers, payers, payees and other payment service providers.
The EBA consulted on the draft RTS during 2016. Following consultation feedback, the EBA made changes to the final draft RTS. The final draft RTS have been submitted to the European Commission for consideration and adoption. It is proposed that the final RTS would apply 18 months after it comes into effect, therefore the earliest the requirements would apply from is November 2018.
The final draft RTS is available at: http://www.eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.