The PSD2 and Regulation RTS require strong authentication measures for online payments
José Ramón Morales (partner at Corporate Law and Commercial Contracts department and Technology & Outsourcing industry).
The world of online payments in the European Union is on the brink of a massive change: stronger customer authentication measures will be required upon the entry into force of Commission Delegated Regulation (EU) 2018/389 of November 27, 2017 (“Regulation RTS”). Regulation RTS supplements Directive (EU) 2015/2366 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (known as “PSD2”).
The term to transpose the PSD2 into national law in the EU Member States ended on January 13, 2018 (in Spain, the preliminary bill for its transposition was approved on May 18, 2018). The objectives of the PSD2 include making payments more secure and enhancing consumer protection, as well as encouraging innovation and competition in the context of a level playing field for all operators.
In particular, in order to reduce the risk of fraud in electronic transactions and better protect customers’ information, PSD2 calls for stronger customer authentication measures based on at least two of the following three elements: knowledge, possession and inherence. The PSD2 also establishes additional requirements for remote electronic payment transactions (unique authentication code with dynamic linking, generated for each payment transaction specific to the amount and the payee).
In contrast to the other provisions of the PSD2, the regulations on stronger customer authentication were deferred until the related regulatory technical standards were prepared and published, which has now been completed with the publication of Regulation RTS. Its general application will commence on September 14, 2019, except for certain obligations applicable to payment services operators accounts managers, which will come into force before this date. Since it is a regulation, it is directly compulsory in all Member States as from that date without the need for internal laws.
These compulsory requirements have raised concern not only among payment service providers, but also with e-commerce operators themselves. These operators, who receive electronic payments, fear that especially cumbersome security measures will affect usability and user experience in online transactions, leading to a sizeable drop in customers who use this form of payment.
In upcoming posts we will look at the requirements that Regulation RTS establishes for strong customer authentication: classified as “knowledge” (something only the user knows), possession (something only the user possess), and devices and software that read elements classified as “inherence” (something the user is). We will also explore which transactions it affects and the various exemptions to application of strong authentication measures, according to risk, value or specific protocols to which they are subject. In particular, we will focus on unique authentication code requirements and their potential bearing on online payment transactions.