On 2017-05-05 The European Banking Authority (EBA) launched a consultation on its draft Guidelines on security measures for operational and security risks under the revised Payment Services Directive (PSD2). The Guidelines are in support of the objectives of PSD2, such as strengthening the integrated payments market in the EU, mitigating the increased security risks arising from electronic payments, and promoting equal conditions for competition. The consultation runs until 7 August 2017.
PSD2 requires payment service providers (PSPs) to establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks arising from the payment services they provide.
Earlier this year on 2017-02-23 the EBA published its final draft Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication. These RTS, which were mandated under the PSD2 and developed in close cooperation with the European Central Bank (ECB), pave the way for an open and secure market in retail payments in the European Union.
In general, the EBA has relaxed its requirements compared to the RTS in the EBA’s Consultation Paper from August 2016. The most important changes are:
- The EBA has relaxed its requirement to use different channels, devices or mobile applications to initiate and authenticate payments. This makes it possible to use a single device, and even a single mobile app, to initiate and authenticate a payment.
- This draft RTS introduces an exemption to SCA based on the level of risk of a payment (payments up to 500 euro). However, this exemption can only be used if the payer’s payment service provider (PSP) has an overall fraud rate lower than the reference fraud rate specified in the RTS. This change will be welcomed especially by the e-commerce industry, where SCA might generate user friction and therefore cancellations of purchases. An important question is however whether one-size-fits-all fraud rates will be usable across different industries, such as e-banking and e-commerce.
- From SCA are exempted terminals for paying a parking or transport fare. This will reduce queues at parking lots, on highways, in underground transport, etc.
- the EBA has also increased the threshold for remote payment transactions from EUR 10 to EUR 30