{"id":5301,"date":"2019-06-21T10:52:00","date_gmt":"2019-06-21T15:52:00","guid":{"rendered":"https:\/\/3dmerchant.com\/blog\/?p=5301"},"modified":"2021-12-01T17:40:30","modified_gmt":"2021-12-01T22:40:30","slug":"eba-strong-customer-authentication-under-psd2","status":"publish","type":"post","link":"https:\/\/3dmerchant.com\/blog\/merchant-processing-industry-news\/eba-strong-customer-authentication-under-psd2","title":{"rendered":"EBA publishes an Opinion on the elements of strong customer authentication under PSD2"},"content":{"rendered":"\n

The European Banking Authority (EBA)<\/strong> published\n today an Opinion on the elements of strong customer authentication \n(SCA) under the revised Payment Services Directive (PSD2). The Opinion \nis a response to continued queries from market actors as to which \nauthentication approaches the EBA considers to be compliant with SCA. \nThe Opinion also addresses concerns about the preparedness and \ncompliance of some actors in the payments chain with the SCA \nrequirements that apply as of 14 September 2019.<\/strong><\/p>\n\n\n\n

\nToday’s Opinion provides a non-exhaustive list of the authentication \napproaches currently observed in the market and states whether or not \nthey are considered to be SCA compliant. The Opinion does so separately \nfor each of the three SCA elements of knowledge, possession and \ninherence, and also provides clarifications regarding combinations of \nthese elements.<\/p>\n\n\n\n

The Opinion also responds to the concerns about \nmarket preparedness, by clarifying that the EBA is legally not able to \npostpone an application date that is set out in EU law. The Opinion also\n explains that sufficient time has been available for the industry to \nprepare for the application date of SCA, given that the definition of \nSCA had been set out in PSD2 when it was published in 2015, which gave \nclear indications that existing authentication approaches would need to \nbe phased out, and because PSD2 already granted an additional 18-month \nperiod for the industry to implement SCA.<\/p>\n\n\n\n

However, the Opinion \nacknowledges the complexity of the payments markets across the EU and \nthe challenges arising from the changes that are required, in particular\n by actors that are not payment service providers (PSPs) and, therefore,\n not directly subject to PSD2 and the EBA’s technical standards, such as\n e-merchants, which may lead to some actors in the payments chain not \nbeing ready by 14 September 2019.  <\/p>\n\n\n\n

The EBA, therefore, accepts \nthat, on an exceptional basis and in order to avoid unintended negative \nconsequences for some payment service users after 14 September 2019, \nNCAs may decide to work with PSPs and relevant stakeholders, including \nconsumers and merchants, to provide limited additional time. This is to \nallow issuers to migrate to authentication approaches that are compliant\n with SCA, such as those described in this Opinion, and acquirers to \nmigrate their merchants to solutions that support SCA.<\/p>\n\n\n\n

This \nsupervisory flexibility is available under the condition that PSPs have \nset up a migration plan, have agreed the plan with their NCA, and will \nexecute the plan in an expedited manner.<\/p>\n\n\n\n

In order to fulfil the \nobjectives of PSD2 and the EBA of achieving consistency across the EU, \nthe EBA will later this year communicate deadlines by which the \naforementioned actors will have to have completed their migration plans.<\/p>\n\n\n\n

Background<\/strong><\/h3>\n\n\n\n

\n The revised Payment Services Directive was published in November 2015, \nentered into force on 13 January 2016 and applies since 13 January 2018.\n The Directive brings fundamental changes to the payments market in the \nEU, in particular by requiring SCA to be applied by payment services \nproviders (PSPs) when carrying out remote electronic transactions.<\/p>\n\n\n\n

\n SCA is defined in the Directive as an “authentication based on the use \nof two or more elements categorised as knowledge (something only the \nuser knows), possession (something only the user possesses) and \ninherence (something the user is) that are independent, in that the \nbreach of one does not compromise the reliability of the others, and is \ndesigned in such a way as to protect the confidentiality of the \nauthentication data.” The Directive also provides that SCA is to be \napplied to all electronic payments, unless one of the exemptions \napplies.<\/p>\n\n\n\n

The EBA had been mandated to support the Directive by \ndeveloping regulatory technical standards (RTS) setting out the details \non strong customer authentication and common and secure communication \n(RTS on SCA and CSC), including its exemptions, and to regulate the \naccess to customer payment account data held in account servicing \npayment service providers.<\/p>\n\n\n\n

The RTS were developed in 2015\/16, \nconsulted on during 2016\/17, adopted as Commission Delegated Regulation \n(EU) 2018\/389 on 27 November 2017, published in the Official Journal on \n13 March 2018, and will legally apply from 14 September 2019. The RTS \ndeliberately refrains from referring to any particular authentication \napproaches in the industry, in order to ensure that the RTS remains \ntechnology neutral and future-proof.<\/p>\n\n\n\n

Legal basis<\/strong><\/h3>\n\n\n\n

\n The EBA issued the Opinion in accordance with Article 29(1)(a) of its \nFounding Regulation, which mandates the Authority to play an active role\n in building a common Union supervisory culture and consistent \nsupervisory practices, as well as in ensuring uniform procedures and \nconsistent approaches throughout the Union.<\/p>\n","protected":false},"excerpt":{"rendered":"

The European Banking Authority (EBA) published today an Opinion on the elements of strong customer authentication (SCA) under the revised Payment Services Directive (PSD2). The Opinion is a response to continued queries from market actors as to which authentication approaches … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[639,640],"class_list":["post-5301","post","type-post","status-publish","format-standard","hentry","category-merchant-processing-industry-news","tag-sca","tag-strong-consumer-authentication"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/posts\/5301","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/comments?post=5301"}],"version-history":[{"count":1,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/posts\/5301\/revisions"}],"predecessor-version":[{"id":5302,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/posts\/5301\/revisions\/5302"}],"wp:attachment":[{"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/media?parent=5301"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/categories?post=5301"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/3dmerchant.com\/blog\/wp-json\/wp\/v2\/tags?post=5301"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}