Last November saw the adoption of the Delegated Regulation on Regulatory Technical Standards (RTS) by the European Commission. The objective of this regulation is to provide for Strong Customer Authentication (SCA) and establish secure channels of communications.
These standards provide a broad and comprehensive technical framework for the implementation of customer authentication for payment services in both online and physical point-of-sale locations.
The standards also reference the use of electronic identification and trust services as set out in the eIDAS Regulation (Regulation (EU) No 910/2014). The eIDAS standards provide a way for customers, businesses and public service providers to offer and receive services based on national electronic IDs. eIDAS also provides for electronic signatures, timestamps, electronic seals, website authentication and other electronic trust services which are to be used where appropriate.
The technical standards are thus making full use of the authentication and identification standards defined in detail in the eIDAS regulatory standards. This ensures that best in class identification and authentication tools are in place while relying on the existing infrastructure to achieve maximum cost efficiency. The effective use of the tools provided under eIDAS also means that third party solution providers (like Account/ Payment Information Service Providers) can also participate and offer the same level of security and protection as the primary financial institution.
While establishing strong authentication is paramount in a payments system, it is also important to maintain technological neutrality. The RTS takes this into account and rather than specifying solutions like OTP, digital signatures or other specific cryptographic techniques, it keeps the option open as long as the security requirements are met.
This neutrality applies not only to the authentication system but to various business models for payment processors as well. For example, low value payments (less than EUR 30), proximity payments, certain types of remote payments have certain exceptions in place which allows them to operate with minimum encumbrance within the framework of the RTS. Exceptions are subject to specific thresholds in terms of amount, risk, payment method and so on.
Corporate payment systems (as opposed to retail) usually employ different protocols for authorizing payments transactions (like physical authenticators, multi-person authentication etc.) and RTS allows exemptions here subject to the satisfaction of the competent regional authorities.
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council