European Banking Authority sets conditions for PSD2 authentication compliance extension
The European Banking Authority (EBA) has agreed to allow conditional extensions of the deadline for implementing strong customer authentication (SCA) in accord with the EU’s Payment Services Directive Part 2 (PSD2), giving online vendors in Europe a way to remain compliant while finalizing their adoption of biometrics and other authentication factors.
The EBA published an opinion (PDF) on the elements of strong customer authentication, suggesting that the 18-month implementation period for the new regulations, which were adopted in 2015, has been sufficient to expect businesses to be able to comply. It also acknowledges, however, that online merchants and others who do not directly provide payment services themselves could face particular challenges.
Finextra reports that a recent survey from Stripe found just half of businesses expect to meet the compliance deadline, which could cost the online economy of Europe more than €50 billion.
The new PSD2 SCA rules require authentication processes to include inherence elements, which include physical and behavioral biometrics, possession elements, and knowledge elements, and the EBA opinion reviews the elements that may be compliant for each type.
The EBA now says that National Competent Authorities (CAs) can work with payment service providers and other stakeholders, including merchants, to give them limited extensions for migrating to compliant authentication approaches. Extensions are conditional on the payment service providers having a migration plan agreed to by their applicable CA, and the plan being carried out quickly.
The EBA plans to announce a new deadline for any party granted an extension to be compliant by.