The European Commission on Monday adopted rules that will make electronic payments in shops and online safer. This will also allow consumers to access more convenient, cost-effective and innovative solutions offered by payment providers.
These rules implement the EU’s recently-revised Payment Services Directive (PSD2) which aims to modernize Europe’s payment services so as to keep pace with this rapidly evolving market and allow the European e-commerce market to blossom. Monday’s rules allow consumers to use innovative services offered by third party providers, also known as FinTech companies, while maintaining rigorous data protection and security for EU consumers and businesses. These include payment solutions and tools for managing one’s personal finances by aggregating information from various accounts.
Valdis Dombrovskis, Vice-President in charge of Financial Stability, Financial Services and Capital Markets Union said, “These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security.”
A key objective of PSD2 is to increase the level of security and confidence of electronic payment. In particular, PSD2 requires payment service providers to develop strong customer authentication (SCA). Today’s rules therefore have stringent, built-in security provisions to significantly reduce payment fraud levels and to protect the confidentiality of users’ financial data, especially relevant for online payments. They require a combination of at least two independent elements, which could be a physical item – a card or mobile phone – combined with a password or a biometric feature, such as fingerprints before making a payment.
PSD2 also establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. These innovative services are already on offer in many EU countries but thanks to PSD2 they will be available to consumers across the EU, subject to strict security requirements. The rules specify the requirements for common and secure standards of communication between banks and FinTech companies.
Following the adoption of the Regulatory Technical Standards by the Commission, the European Parliament and the Council have three months to scrutinise them. Subject to the scrutiny period, the new rules will be published in the Official Journal of the EU. Banks and other payment services providers will then have 18 months to put the security measures and communication tools in place.
Monday’s Regulatory Technical Standards have been developed by the European Banking Authority in close cooperation with the European Central Bank. They spell out how strong customer authentication (SCA) is to be applied.
The simple provision of a password or details shown on a credit card will, in most situations, no longer be sufficient to make a payment. In certain cases, a code that is only valid for a given transaction will be needed together with the other two independent elements. The aim is to significantly reduce current fraud levels for all payment methods, especially online payments, and to protect the confidentiality of users´ financial data.
However, the rules also acknowledge that acceptable levels of payment security can, in some cases, be achieved in other ways than by using the two independent elements required for SCA. For instance, payment service providers may be exempted if they have developed ways of assessing the risks of transactions and can identify fraudulent transactions. Exemptions also exist for contactless payments and transactions for small amounts, and particular types of payments such as urban transport fares or parking fees. Thanks to these exemptions, payment services providers can keep payments convenient without jeopardising the security of payments.