PSD2: EBA regulatory technical standards consultation paper published on strong customer authentication

Pursuant to its mandate under the second Payment Services Directive (PSD2), the European Banking Authority (EBA) issued a consultation paper and draft Regulatory Technical Standards (RTS) on strong customer authentication and secure communication on 12 August 2016.

Article 97(1) of PSD2 requires payment service providers to apply strong customer authentication when the payer:

• accesses his payment account online;
• initiates an electronic payment transaction; or
• carries out any action through a remote channel that may be subject to a risk of payment fraud or other abuse.

We reported previously on the EBA’s discussion paper, which informed the current consultation paper and draft RTS.

Considerations made by the EBA

In developing the RTS, the EBA considered the objectives set out in Article 98(2) of PSD2:

1. Adopting effective and risk-based requirements to ensure security for payment service
   users and payment service providers;
2. Providing for the safety of payment service users’ funds and personal data;
3. Facilitating fair competition among all payment service providers;
4. Being neutral regarding technology and business-models; and
5. Providing for the development of payment methods.

The draft RTS cover four main areas…

1.     Strong customer authentication (SCA)

Under PSD2, SCA is defined as authentication based on the use of two or more independent elements categorised as knowledge, possession and inherence, so that the breach of one element does not compromise the reliability of the others and is designed to protect the confidentiality of the authentication data.

The respondents to the discussion paper recommended that the rules around SCA requirements be principle-based and developed at a high level, which the EBA agreed will facilitate innovation and
business-model neutrality.

The draft RTS establish the following principles as the basis for the SCA provisions:

• authentication elements that include the personalised security credentials;
• payment service providers must ensure that a combination of the authentication elements (i.e. knowledge, possession and inherence) results in the generation of an authentication code that is accepted once by the payment service provider for the same payment service user; and
• the inclusion of mechanisms to prevent, detect and block fraudulent payments before final authorisation.

2.     Exemptions from strong customer authentication

PSD2 also requires the RTS to specify any exemptions from the rules on SCA, based on the level of risk in the service used, the amount and/or the recurrence of the transaction, and the payment channel used for the transaction.

In determining the exemptions, the EBA questioned whether to provide an exhaustive list of exemptions or take a broader approach. Among the respondents, a number of banks considered that a
wide view was necessary to account for future innovations, whereas payment initiation service providers generally preferred a limited list of exemptions to allow for competition. For now the EBA has included a specific list of exemptions in the RTS to balance security needs against user convenience.

The exemptions that have been included in the RTS apply in the following circumstances:

• when the payer is only obtaining access to information on its online payment account;
• contactless payment transactions subject to a maximum of 50 EUR;
• credit transfers to trusted payees, the payer transferring credit to an account held by itself with the same payment services provider; and
• remote electronic payment transactions subject to a maximum of 10 EUR.

3.     Security measures to protect personalised security credentials

The third section of the draft RTS addresses the requirements around the protection of the confidentiality and the integrity of personalised security credentials. Here, the EBA determined it was appropriate to adopt a principles-based approach requiring payment service providers to implement measures protecting this information.  The draft RTS outline security measures to be applied including cryptographic material and encryption.

4.     Requirements for communication and specific requirements for open standards of communication

The final section of the draft RTS covers the requirements around secure communication among payment service providers. The question for the EBA was whether a single dedicated interface should be adopted across the industry. Weighing the need for secure communication against the need to be technologically neutral, the EBA determined not to prescribe a specific industry standard of communication. Instead, the EBA has drafted general standards addressing issues of requirements for identification, traceability of transactions, and communications interfaces, among others.

Next steps

The consultation period for submitting comments ended on 12 October 2016. The EBA plans to publish the final RTS by 12 January 2017. The RTS will then be applicable 18 months after adoption by the European Commission, so they should be effective in October 2018. This will allow the industry sufficient time to develop solutions that are compliant with the RTS.

In the interim 18 month period, the EBA Guidelines on the Security of Internet Payments will continue to apply.