26 April 2019
New European regulations on Strong Customer Authentication and shared norms for open and secure communications will go into effect on 14 September 2019, as part of the Payment Services Directive 2 (PSD2).
These new regulations have two main goals:
Let us recall that directives such as PSD2 need to be separately transposed into each member country’s legislation. EU Regulations, on the other hand, constitute immediately applicable local law; their function is to harmonise the various norms established within the PSD2 framework. Indeed, the Regulatory Technical Standards (RTS) were prepared by the European Banking Authority (EBA) and adopted by the European Commission to describe in concrete terms—and thus standardise—the strong client authentication process that must be implemented by member States.
As the guarantors of secure payments, the RTS define strong client identification as combining at least two identification factors, among which:
Member States ensure that every Payment Services Provider (PSP) applies Strong Customer Authentication when the payer:
To simplify the framework, RTS set out nine ‘exemptions. The PSPs of payer and beneficiary are solely entitled to apply these exceptions, according to the nature of the online payment at issue. The idea behind these exemptions is to achieve a fair balance between the need for stronger security in online payments, and the need for such payments to be user-friendly and broadly accessible for the online retail sector.
These exemptions from Strong Customer Authentication were established based on the risk levels, transaction amount, recurrent quality and payment method used for completing the transaction.
The exemptions include three that directly concern online payments:
Regarding the last of these exemptions, the cut-off transaction amount will depend on the rate of fraud reported by the PSP as follows:
Average fraud rates in France currently stand at around 0.16% for domestic transactions and 0.3% for cross border transactions.
If one were to single out one domain where Lemon Way makes no concessions, payment security would be it. That’s why we welcome these new regulatory standards as good news that reflect a trend toward increased security and—ultimately—greater peace of mind for end clients. Due to our positioning on the payments chain, we do not directly participate in choosing or defining authentication criteria. Nonetheless, our experts are always available to answer questions or requests for information!
A year after the General Data Protection Regulation (GDPR) went into effect, Rachelle Abi Lahoud,...Read more
‘KYC’: as a marketplace or crowdfunding platform you can’t escape the implications of this...Read more