EPSM, a European payment services industry group, has called for a minimum 18-month delay to the introduction of Strong Customer Authentication (SCA) rules under PSD2.
In a plea to regulators for an extension, the 67-member organisation, whose members provide a range of payment services to merchants, warned of “significant market disruptions” and “a disaster for consumers and PSPs [payment service providers]” without a grace period for industry to get its house in order.
EPSM recommends that additional timeframes of 18 months for standard applications and up to 36 months for challenging applications, (eg in the travel and hospitality sector) across all regions should be agreed in a harmonised migration approach” the lobby group said, warning of business disruption risks without flexibility.
SCA, to be introduced September 14, 2019, requires robust additional security authentications for a majority of online transactions over EUR 30 (GBP 26.95). The rules are being introduced in a bid to tackle payment fraud.
Regulatory technical standards (RTS) for SCA were adopted by the European Parliament in March 2018. The aim is to increase the security of electronic payments over by introducing two-factor authentication (2FA) – for all transactions over EUR 30 that fall under the scope of the rules. These include credit transfer via online banking, standard ecommerce card payments, card payments at POS (chip-and-pin) and more.
Yet the EPSM claims many questions about implementation remain unanswered, saying that “a lot of questions regarding the interpretation of the legal texts have been addressed to EBA [European Banking Authority]. Unfortunately, only a small number has been answered and a high level of uncertainty remains.
EPSM notes: “According to a restrictive reading of the RTS by EBA, the online payment method ‘Remote card payment using OTP [one-time password], 3DS [an XML-based protocol designed as an additional security layer for online card transactions] and card data will not be allowed without, for example, an additional password or biometry, even if secured by EMV 3DS 2.x (the highest security level possible). It adds: “This would lead to significant market disruptions.”
When SCA is applied, two-factor authentication is required. This includes a combination of the following:
Possession: something only the user possesses (a card, a mobile phone, etc)
Knowledge: something only the consumer knows
Inherence: something the user is (biometric identification like fingerprint, iris or voice recognition, etc)
The EPSM is calling on the EBA to belatedly change the rules and acknowledge that the combined use of card data (as “knowledge”; the current EBA opinion is that this is not compliant); OTP as “ownership” (the EBA opinion is that this is compliant) and EMV 3DS as “inherence (the EBA opinion being that this is not compliant) is a valid SCA method.