European banks and service providers have been given an 18-month deadline to adopt new security measures and provisions for customer data exchange as mandated by the EU's revised Payments Service Directive (PSD2).
Although PSD2 comes into effect on January 2018, two of the most contentious measures in the rule-book, relating to more stringent security measures for payments transactions and the abolition of 'screen-scraping', will now be considered actionable 18-months after the relevant Regulatory Technical Standards (RTS) are published in the Official Journal of the EU, scheduled for September, 2019.
"Payment market players need this transition period to upgrade their payments security systems so that they meet the RTS requirements," states the Commission. "This means that the PSD2 provisions on strong customer authentication and on secure communication, which are directly specified in the RTS, will not apply immediately."
Europe's banks and tech companies have been eagerly awaiting the completion of the RTS for PSD2, which have been held up by competing claims and lobbying from vested parties.
Under the revised rules, the simple provision of a password or details shown on a credit card will, in most situations, no longer be sufficient to make a payment. In certain cases, a code that is only valid for a given transaction will be needed together with two independent elements, which could be a physical item - a card or mobile phone - combined with a password or a biometric feature, such as fingerprints before making a payment.
Payment service providers may be exempted if they have developed ways of assessing the risks of transactions and can identify fraudulent transactions. Exemptions also exist for contactless payments and transactions for small amounts, and particular types of payments such as urban transport fares or parking fees.
The rules also specify the obligations of banks for the provision of third party account information tools. According to the RTS, screen-scraping of account data from bank Web sites will be off-the-table and replaced by new interfaces provided by banks.
Payment service providers, including banks, will have to define transparent key performance indicators and service level targets for the dedicated communication interfaces. These "should be at least as stringent as those set for the online payment and banking platforms used by the customers".
The Commission says all communication interfaces, whether dedicated or not, will be subject to a 3-month 'prototype' test and a 3-month 'live' test in market conditions.
The Commission is promoting the set-up of a market group, composed of representatives from banks, payment initiation and account information service providers and payment service users to review the quality of bank interfaces for customer data sharing. Banks that fail to pass muster will have to provide a 'fall-back' contingency for third parties to gain unrestricted rights to direct access to the bank account as provided for in PSD2, a compromise amendment that has been welcomed by startup campaigning groups.
The European Parliament and the Council now have three months to scrutinise the RTS before they are placed on the statute book.