The Regulatory Technical Standards on strong customer authentication and secure communication (RTS on SCA & CSC) officially took effect on 14 September 2019.
The RTS, which were published in March 2018 in the Official Journal of the European Union, are the key to achieving the objectives of the revised Payment Service Directive (PSD2) for ensuring consumer protection, fostering innovation and enhancing the level playing field in the payment markets.
PSD2, which entered into application on 13 January 2018, aims at creating an EU-wide harmonized payment system characterized by a high level of consumer protection and payment security.
In order to increase consumer protection, PSD2 postulates that all electronic payment services should be carried out in a secure manner and promotes technologies that are able to guarantee the safe authentication of the users and thus to reduce the risk of fraud. To this end, the European Banking Authority (EBA) developed regulatory technical standards (RTS) specifying the requirements of strong customer authentication (SCA), which payment service providers (PSPs) such as banks and other payment institutions should observe when they process payments or provide payment-related services. Even though the intention of the PSD2 is to make SCA a requirement for all online transactions, there are still some exemptions. They aim to ensure that consumers still enjoy an easy shopping experience with additional security on larger and less frequent payments.
In order to promote innovation and completion, PSD2 requires account servicing payment service providers (ASPSPs) to provide at least one interface for third party payment service providers (TPPs) enabling them to initiate payments and access account information. In this context, the regulatory technical standards outline the requirements for common and secure communication between the ASPSPs and the TPPs, such as account information service providers (AISPs) and payment initiation service providers (PISPs).
Strong customer authentication
With the entry into force of the RTS, strong customer authentication becomes a necessary precondition for accessing one’s payment account or for making payments online. The SCA rules require banks and other payment service providers to verify user identity by using at least two of the following three elements: