Saturday 12 March 2016

Strong customer authentication and secure communication in payment services

Following the entry into force of the revised Directive 2015/2366 on Payment Services (PSD2), the European Banking Authority (EBA) is mandated to deliver several Regulatory Technical Standards (RTS) and Guidelines by January 2017. These should set out the details of the more general standards laid down in the Directive in order to secure their consistent application throughout the EU. EBA's RTS are therefore important for the smooth functioning of the single market for payment services.

As the first step, and before developing the full RTS, EBA has recently published a Discussion Paper on strong customer authentication and secure communication. The Discussion Paper specifies the requirements of strong customer authentication; the  exemptions to the application of these requirements; requirements to protect the payment service users' personalized security credentials; requirements for common and secure open standards of communication; and security measures between the various types of payment service providers.

BEUC has submitted a number of useful comments on the Discussion Paper. For example, BEUC has recommended the RTS should also consider that a good level of consumer protection in payment services is provided through an adequate combination of preventive and curative measures. Providing for a simple and unconditional refund policy in case of  unauthorized, fraudulent or disputed payment transactions is crucial for raising consumers' confidence in using payment services. It is also important that consumers' data are secure and that in case of data breaches effective redress mechanisms are in place. Finally, the requirements of strong customer authentication and the RTS should extend to mail orders and telephone orders. See for more recommendations and the full text of BEUC's response here.