Changes to conduct of business and risk management requirements - .PDF file.
PSD2 introduces the concept of a ‘strong authentication’ procedure for validating payment instruments. A strong authentication must comprise at least two validation elements that are independent of each other, such that a security breach of one does not inherently mean a security breach of the others. The introduction of the concept directly into PSD2 echoes the ECB’s 31 January 2013 Recommendation for the Security of Internet Payments, which articulates what a strong customer authentication process looks like. PSPs are currently already expected to take this recommendation into account by 1 February 2015.
It looks as if ‘strong authentication’ will become a market standard with a new rule to the effect that where a payee or payee’s PSP fails to accept a strong authentication, they must refund the financial damage caused to the payer’s PSP.
The PSD2 draft states that strong customer authentication will be compulsory for all payment transactions, unless the EBA introduces exemptions in guidelines. It is not clear what these exemptions will be and PSD2 suggests the EBA’s guidelines only need to be issued within two years of the PSD2 coming into force. This is inadequate…
If you are registered and logged in to the site, click on the link below to read the rest of the Taylor Wessing briefing. If not, please register or sign in with your details below.