|
PSD2 and Strong customer authentication implementation
A 12-month extension to prepare the 2-factor authentication implementation
The revised Payment Services Directive (PSD 2) was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
PSD2 introduced new security requirements for the initiation and processing of electronic payments, it made mandatory the implementation of the so-called “strong customer authentication” (SCA) when a payer initiates an electronic payment transaction.
Costumers are to provide provide two or more of the following elements when making payments, which are categorised by the European Banking Authoritiy (EBA) as follows:
- Knowledge: something only the user knows, e.g. a password or a PIN code
- Possession: something only the user possesses, e.g. a mobile phone, and
- Inherence: something the user is, e.g. the use of a fingerprint or voice recognition.
The EBA had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC).
The RTS on strong customer authentication adopted in 2007 should have applied as from 14 September 2019.
On 21st of June 2019 the EBA published an opinion on what approaches it believes can constitute different "elements" of SCA. The document includes a “non-exhaustive list of possible inherence elements” and rules out EMV 3-D Secure version 1.0. by recognized version 2.0 as fully compliant.
|
