By Reece Clark
Consumers can expect increased competition, efficiency, and innovation in the payment services sphere when the European Union’s long-anticipated revised Payments Service Directive (“PSD2”) comes into effect on January 13, 2018. However, European banks and service providers will not be required to immediately harden their customer data exchange security measures in response. According to a recent press release from the European Commission, payments service providers will have up to 18 months after the release of the PSD2’s Regulatory Technical Standards (“RTS”) to upgrade their payment security systems. RTS is slated for release in September 2019, giving market players until Q1 2021 to move their systems and procedures into compliance.
RTS is designed to provide clear guidance and compliance requirements for securing consumer electronic payments and related information. Among some of the more progressive measures, RTS is expected to change how banks provide account information to third party payment service providers (“TPP”). Specifically, RTS will ban the current practice of “screen scraping,” which involves a TPP accessing data using customer security credentials without any further identification from a bank.
Some fintech companies take advantage of screen scraping as a low-cost way to deliver personal bank account information and analytics to users. Under RTS however, banks will be expected to establish dedicated communication channels—through pre-existing or newly created banking interfaces—to allow such providers to access the data they need to deliver their services. These channels are expected to help banks and providers better identify each other and communicate securely at all times.
RTS is also expected to require Strong Customer Authentication (“SCA”) to make payments online and for accessing one’s payment account. SCA is a multi-factor security control that requires users to prove their identity using two out of three separate elements. According to the Final Report on Draft RTS on SCA and CSC, these elements will include: (1) knowledge (a password or PIN code); (2) possession (a card, or mobile phone); and (3) inherence (biometric data, such as a fingerprint).
Banks and other payment service providers are expected to establish the necessary infrastructure to support SCA, though an exemption process for payment service providers will be available on a limited basis. To be exempted, a provider must show it has already established alternative authentication mechanisms that are as equally safe and secure as SCA, and has implemented measures for monitoring transaction fraud risk. SCA is already commonly used throughout Europe, though primarily on a voluntary, country-by-country basis.
Payment service providers are expected to use the 18-month transition period to upgrade their payment security systems so that they can comply with RTS requirements. Merchants, however, are not within the scope of PSD2 and are expected to continue to work closely with their payment service providers on how to protect consumer data and reduce fraud.
For more information regarding PSD2 compliance, please contact the author or a member of Polsinelli’s Privacy and Data Security team.