PSD2: EBA regulatory technical standards consultation paper published on strong customer authentication

Written on 20 Oct 2016

Pursuant to its mandate under the second Payment Services
Directive (PSD2), the European Banking Authority (EBA) issued a consultation
paper and draft Regulatory Technical Standards
 (RTS) on strong customer authentication and secure communication on 12 August
2016.

Article 97(1) of PSD2 requires payment service providers to
apply strong customer authentication when the payer:

  • accesses his payment account online;
  • initiates an electronic payment transaction; or
  • carries out any action through a remote channel
    that may be subject to a risk of payment fraud or other abuse.

We reported previously
on the EBA’s discussion paper, which informed the
current consultation paper and draft RTS.

Considerations made
by the EBA

In developing the RTS, the EBA considered the objectives set
out in Article 98(2) of PSD2:

  1. Adopting
    effective and risk-based requirements to ensure security for payment service
    users and payment service providers;
  2. Providing
    for the safety of payment service users’ funds and personal data;
  3. Facilitating
    fair competition among all payment service providers;
  4. Being
    neutral regarding technology and business-models; and
  5. Providing
    for the development of payment methods.

The draft RTS cover
four main areas…

1.     Strong
customer authentication (SCA)

Under PSD2, SCA is defined as authentication
based on the use of two or more independent elements categorised as knowledge, possession and inherence, so that the breach of one element
does not compromise the reliability of the others and is designed to protect
the confidentiality of the authentication data.

The respondents to the discussion
paper recommended that the rules around SCA requirements be principle-based and
developed at a high level, which the EBA agreed will facilitate innovation and
business-model neutrality.

The draft RTS establish the
following principles as the basis for the SCA provisions:

  • authentication elements that include the
    personalised security credentials;
  • payment service providers must ensure that a
    combination of the authentication elements (i.e. knowledge, possession and
    inherence) results in the generation of an authentication code that is accepted
    once by the payment service provider for the same payment service user; and
  • the inclusion of mechanisms to prevent, detect
    and block fraudulent payments before final authorisation.

2.     Exemptions
from strong customer authentication

PSD2 also requires the RTS to
specify any exemptions from the rules on SCA, based on the level of risk in the
service used, the amount and/or the recurrence of the transaction, and the
payment channel used for the transaction.

In determining the exemptions,
the EBA questioned whether to provide an exhaustive list of exemptions or take
a broader approach. Among the respondents, a number of banks considered that a
wide view was necessary to account for future innovations, whereas payment
initiation service providers generally preferred a limited list of exemptions
to allow for competition. For now the EBA has included a specific list of
exemptions in the RTS to balance security needs against user convenience.

The exemptions that have been
included in the RTS apply in the following circumstances:

  • when the payer is only obtaining access to
    information on its online payment account;
  • contactless payment transactions subject to a
    maximum of 50 EUR;
  • credit transfers to trusted payees, the payer
    transferring credit to an account held by itself with the same payment services
    provider; and
  • remote electronic payment transactions subject
    to a maximum of 10 EUR.

3.     Security
measures to protect personalised security credentials

The third section of the draft
RTS addresses the requirements around the protection of the confidentiality and
the integrity of personalised security credentials. Here, the EBA determined it
was appropriate to adopt a principles-based approach requiring payment service
providers to implement measures protecting this information.  The draft RTS outline security measures to be
applied including cryptographic material and encryption.

4.     Requirements
for communication and specific requirements for open standards of communication

The final section of the draft
RTS covers the requirements around secure communication among payment service
providers. The question for the EBA was whether a single dedicated interface
should be adopted across the industry. Weighing the need for secure
communication against the need to be technologically neutral, the EBA
determined not to prescribe a specific industry standard of communication.
Instead, the EBA has drafted general standards addressing issues of
requirements for identification, traceability of transactions, and
communications interfaces, among others.

Next steps

The consultation period for submitting comments ended on 12
October 2016. The EBA plans to publish the final RTS by 12 January 2017. The
RTS will then be applicable 18 months after adoption by the European
Commission, so they should be effective in October 2018. This will allow the
industry sufficient time to develop solutions that are compliant with the RTS.
In the interim 18 month period, the EBA
Guidelines on the Security of Internet Payments
will continue to apply.