The 2015 Revised Directive on Payment Services (commonly referred to as PSD2) lays the groundwork for safe and secure payments across the European Union. PSD2 places a significant impetus on ensuring that adequate safeguards are put in place to prevent fraud and other unauthorized use of payment mechanisms.
The Delegated Regulation on Regulatory Technical Standards (RTS) adopted by the European Commission in November 2017 outlines the specific requirements to ensure strong customer authentication and other security measures which need to be in place for such transactions. The document outlines the protocols that must be implemented to protect the security and confidentiality of customer information and to ensure secure and open communication all throughout the payment process.
There are various business models currently in use in the payments industry. All of these models co-exist and cater to specific niches of the market. For example, some models might be suited for micro-transactions while others might be more cost effective for cross-border payments. In addition to business models, there are also different technologies and protocols each of which offer different advantages to consumers. Since the goal of PSD2 was to increase competition, fair play and innovation in the payments industry, the new technical standards have been designed to do the same.
The technical specifications within Regulatory Technical Standards (RTS) are designed to be technology and business-model neutral. There are certain exemptions in place for remote payments, proximity payments, low value payments (less than EUR 30 or so) and transaction risk analysis. These ensure that the payment backbone is not overburdened while still ensuring best in class security.
RTS defines in detail the elements required for strong customer authentication. eIDAS also plays a key role here for electronic identification and authentication of online platforms via qualified certificates. Other elements include an authentication code that is secure and cannot be forged, dynamic linking of the code with a specific transaction and other risk mitigation techniques.
In order to keep the process dynamic and prevent the system and end-users from excessive burden, low-risk transactions are allowed certain exemptions. The exact criteria to define a transaction as low risk are stipulated in the standards as well and include things like fraud rate for that type of transaction, transaction threshold value, real time analysis of user location, spending behavior and so on. This risk analysis brings an additional layer of control and incentivizes the proper use of risk monitoring tools to keep the payment backbone operating at maximum efficiency.
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council