PSD2 Authentication Deadline Extended: Here's What's NextEuropean Banking Authority Insists EU Nations Take a Consistent Approach to Migration
Now that the deadline for all e-commerce card-based transactions in the EU to comply with the new PSD2 "strong customer authentication" requirement has officially been extended to Dec. 31, 2020, authorities are emphasizing the need to make a smooth, uniform migration to the new forms of authentication.
The original deadline, which was Sept. 14, 2019, had been put on hold by several nations after various players cited difficulties in meeting the requirements.
The European Banking Authority has instructed the National Competent Authorities in all EU member nations to take a consistent approach toward the migration to the new authentication method. An EBA spokesperson acknowledged that the complexity of the migration led to the decision to postpone the deadline to help ensure uniform movement to new forms of authentication throughout Europe.
Many merchants, in particular, were not ready to comply with the original deadline, says Nick Maynard, lead analyst at U.K.-based Juniper Research. "Retailers have not yet made the necessary changes to their payment and authentication systems, and banks have had a difficult time in terms of preparing their merchants for the implementation, he says.
"If the right measures of understanding are put in place now, then SCA will become natural very quickly," Jackie Barwell, director of fraud product management at ACI Worldwide, told Mobile Payments Today. "What will cause friction however, is a lack of a consistent approach to SCA by individual users."
PSD2, the Revised Payment Services Directive for the European Union, is designed to increase pan-European competition and participation in the payments industry, including fintech players, and harmonize consumer protections.
The strong customer authentication provision of the law requires the use of multifactor authentication to help improve security. Carrying out that mandate has proven difficult for a number of reasons, security experts say, including the development and implementation of the necessary APIs to pave the way for data exchange among many players.
The PSD2 provision requires authentication using at least two of the following three factors:
- Something the cardholder "knows," such as a password or PIN;
- Something the cardholder "has," such as a token or mobile phone;
- Something the cardholder "is," such as a fingerprint or voice match.
Monitoring Migration Plans
EBA says that instead of pursuing immediate enforcement actions for compliance with the PSD2 authentication requirements, the NCAs will focus on monitoring migration plans.
EBA notes payment service providers are liable for any fraud and any unauthorized payment transactions that takes place under the under Article 74 of the PSD2 after SCA takes full effect next year.
"With the delay of the 'strong customer authentication' regulation, many in the online payments and ecommerce sectors in the U.K. may be breathing a huge sigh of relief today," says Michal Kissos Hertzog, CEO at the online bank Pepper. "Yet there must be a realization that online payments are changing all the time, and due to this, the value proposition and user experience must evolve constantly too - especially around ensuring it is safe and secure."