EU unveils plans to make customer authentication more secure
The European Commission announced new rules under the Payment Services Directive (PSD2) this week that require payment service providers to verify a consumer’s identity with at least two independent elements before processing a payment.
The Commission will require payments companies to develop strong customer authentication (SCA) based on the stringent security provisions built into the new rules to reduce fraud, particularly for online transactions, and to protect user’s financial data.
Elements that can be used to verify identity include physical items, such as a card or mobile phone, in combination with a password or biometric feature.
“These new rules will guide all market players, old and new, to offer better payment services to consumers while ensuring their security,” said Valdis Dombrovskis, Vice-President in charge of Financial Stability, Financial Services and Capital Markets Union.
Payment initiation services and account information services availability will also be extended throughout the EU under a framework for new services linked to consumer payment accounts. Standard for secure communication between banks and FinTech companies are also established in the rules. Contactless payments and transactions of small amounts can also be exempted.
The rules come with a set of exemptions, including for payment service providers that develop ways to assess transaction risk and identify fraud.
Banks and other payment service providers will have at least 21 months to put the measures into place, including a period for scrutiny by the European Parliament and Council.
Industry resources are being deployed to help payment service providers deal with the impending implementation of PSD2, as the EAB will present its Biometrics in Banking and Payments seminar in December, and the FIDO Alliance launched a European working group earlier this month.