EBA Eases Strong Customer Authentication Requirements under PSD2

Frederik Mennes, February 27, 2017

On Thursday 23 February, the European Banking Authority (EBA) published its long-awaited final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) under the revised Payment Services Directive (PSD2).
In general the EBA has relaxed its requirements compared to the RTS in the EBA’s Consultation Paper from August 2016. Here are the most important changes:

  1. Transaction risk analysis.

    The final draft RTS introduces an exemption to SCA based on the level of risk of a payment, and this for payments up to 500 euro. However, this exemption can only be used if the payer’s payment service provider (PSP) has an overall fraud rate lower than the reference fraud rate specified in the RTS. This change will be welcomed especially by the e-commerce industry, where SCA might generate user friction and therefore cancellations of purchases. An important question is however whether one-size-fits-all fraud rates will be usable across different industries, such as e-banking and e-commerce.

  2. No more channel segregation.

    The EBA has foregone its requirement to use different channels, devices or mobile applications to initiate and authenticate payments. This seems to make it possible to use a single device, and even a single mobile app, to initiate and authenticate a payment.

  3. Unattended payment terminals exempted.

    Terminals for paying a parking or transport fare are exempted from SCA. This makes sense to avoid queues at parking lots, on highways, in underground transport, etc.

  4. Increase of threshold for remote payments.

    Previously remote payments up to 10 euro did not need SCA. This threshold has been raised to 30 euro.

As a next step, the EBA will submit the final draft RTS to the European Commission for adoption, after which they will be reviewed by the European Parliament and the Council of Ministers. If everything goes well, the RTS will become applicable in November 2018.
Overall, the importance of transaction risk analysis technology has gained importance in the final draft RTS. However, for this to work, PSPs will need to keep their fraud levels under control in order to meet the reference levels. So the exemption based on transaction risk analysis does not come for free. The RTS also provides much more flexibility to use mobile apps to authenticate payments. However PSPs will need to protect these mobile apps against various threats, such as cloning, reverse engineering and tampering.

Read our full coverage on PSD2.

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.