Payment Services Directive (PSD2) – Strong Customer Authentication and additional migration period for e-commerce businesses

04 November 2019 | blog

The revised Payment Services Directive (PSD2), applicable since 13 January 2018, brought significant changes to the payment markets in the EU. In particular, PSD2 requires certain payment services providers (PSPs) to apply strong customer authentication (SCA, also referred to as two-factor authentication) in remote electronic transactions. The application of SCA in e-commerce, which was scheduled to enter into force on 14 September 2019, has been delayed due to concerns about market unpreparedness. In line with an Opinion by the European Banking Authority (EBA), the Austrian regulator FMA has extended the deadline for implementation by 15 months until 31 December 2020.

SCA is defined in PSD2 as "authentication based on the use of two or more elements categorised as (i) knowledge (something only the user knows), (ii) possession (something only the user possesses) and (iii) inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data". SCA will be required for all electronic payments, unless one of certain exemptions applies. Specifically, when (i) a payment user accesses its payment account online or (ii) initiates an electronic payment transaction or (iii) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses, SCA will have to be used.

The European Banking Authority (EBA) has developed regulatory technical standards (RTS), setting out details on SCA but refraining from specifying particular authentication processes to ensure that the RTS remain future-proof. It has also published an Opinion on 21 June 2019, responding to the queries of the market actors and providing non-exhaustive examples of compliant SCA:  

  1. Knowledge

    This element is "something only the user knows" and can be a password, a PIN, knowledge-based responses to challenges or questions, a passphrase and a memorised swiping path. Email address, username, card details printed on the card, one-time passwords (OTP) generated by or received on a device and printed matrix card or OTP list, on the other hand, would not be compliant.
     
  2. Possession

    A compliant possession element is "something only the user possesses", which may also refer to something not physical, like an app, provided there is a unique connection between the payment service user's app, browser or key and device. A further compliant example is the possession of a device evidenced by a one-time-password (OTP) generated by, or received on, a device (e.g. via text message). A card with possession evidenced by card details printed on the card or a card with possession evidenced by a printed element such as a TAN list would not suffice.
     
  3. Inherence

    Inherence is "something the user is" and can be authenticated with fingerprint scanning, voice recognition, vein recognition, hand and face geometry, retina and iris scanning, keystroke dynamics, heart rate or other body movement patterns and the angle at which the device is held. Memorised swiping path or information transmitted using a communication protocol would not be compliant.

In addition to the above-described rather technical details of SCA implementation, the EBA also addressed market preparedness in the Opinion. While acknowledging the complexity of the payment markets in the EU and the challenges posed by the required changes, the EBA stressed that in its view the market actors have had sufficient time to implement SCA by the 14 September 2019 deadline.

However, to avoid unintended negative consequences for some payment service users after the deadline, the EBA has decided to accept that the deadline may be extended for SCA in e-commerce by national competent authorities.

In particular, the EBA (and other European regulators) are concerned that merchants accepting (in particular card-based) online payments are not thoroughly prepared for SCA application in their payment processes which could, in the regulators' view, result in negative consequences (e.g. increased number of cancelled/unsuccessful payment transactions) both for payment service users and accepting companies/merchants.

In line with the EBA's Opinion and views, the Austrian Financial Market Authority (Finanzmarktaufsichtsbehörde – FMA) has announced that it will exercise "regulatory flexibility" and has extended the deadline for SCA application for online card-based payment transactions until 31 December 2020. Despite this delay for SCA application, the PSPs are required to transmit a migration plan to the FMA and to keep the FMA informed of the implementation process. This extra transitional period, however, extends only to regulatory aspects; potential civil law implications and liabilities are not affected.

Similar extensions have been announced by other European market authorities, for example Germany's Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) or the UK's Financial Conduct Authority.

Author: Matthias Pressler