The European Banking Authority () published its long-awaited final draft Regulatory Technical Standards () on strong customer authentication () and common and secure communication at the end of February 2017. These are mandated under the revised Payment Services Directive () – which enters into force in January 2018 – and are required by the European payment industry to implement .
These final draft are the result of the public consultation organised in 2016 and of the ’s trade-offs between security and convenience to address some issues raised by the payment industry while still respecting the objectives of . The reported that an “unprecedentedly wide number of stakeholders' views and input” were collected during the public consultation.
The final draft have been softened in some key aspects, with the introduction of exemptions from the application of in certain situations. The has introduced two new exemptions:
- For payments made at ‘unattended terminals’ for transport and parking fares.
- For remote payments where a transaction risk analysis is performed provided fraud levels are kept below specific thresholds. This exemption will be reviewed by the 18 months after the application date of the .
Both new exemptions address ’s concerns, raised during the public consultation.
The final draft introduce another major change that answers a concern raised by many e-retailers: the threshold for remote payments has been increased from ten to thirty euros. The principles of the (and constraints in terms of authentication) will therefore not need to be applied for consumers making online payments of less than thirty euros.
Account Servicing Payment Service Providers () will be obliged to offer at least one interface for Account Information Service Providers (AISPs) and Payment Initiation Service Providers ( — the EPC created an infographic about PSD2, describing all players, in case further information is needed) to access payment accounts. A noteworthy change included in the final draft is that using a dedicated interface will have to provide the same level of availability and performance as for the interface used by their customers.
The next step towards the finalisation of these is their approval and publication by the European Commission, which is expected after the summer. They will enter into effect 18 months later.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.