EBA consults on strong customer authentication and secure communications under PSD2
12 August 2016
The European Banking Authority (EBA) published today a Consultation Paper on draft technical standards on strong customer authentication and common and secure communication under the revised Payment Services Directive (PSD2). These technical standards will ensure appropriate levels of security, while at the same time maintaining fair competition between all payment service providers and allowing for the development of user-friendly, accessible and innovative means of payment.
Directive (EU) 2015/2366 on payment services in the internal market (PSD2) entered into force in the European Union on 12 January 2016 and will apply as of 13 January 2018. The PSD2 has conferred 11 mandates on the EBA, one of which relates to the development, in close cooperation with the European Central Bank (ECB), of draft Regulatory Technical Standards (RTS) on strong customer authentication and secure and common communications (Article 98 of the PSD2).
In order to receive early input into this work, the EBA published a Discussion Paper in December 2015, which received 118 responses. The resulting RTS set out a harmonised framework aimed at ensuring an appropriate level of security for consumers, as well as Payment Service Providers (PSP). The RTS propose the adoption of effective and risk-based requirements, which will secure and maintain fair competition among all PSPs, and allow for the development of user-friendly, accessible and innovative means of payment.
The requirements cover strengthened customer authentication, enhanced protection of user's security credentials and common and secure open standards for communications between the various types of providers in the payments sector.
Responses to this Consultation Paper can be sent to the EBA by clicking on the "send your comments" button on the website.
All contributions received will be published following the close of the consultation, unless requested otherwise. Please note that the deadline for the submission of comments is 12 October 2016 and that no attachments can be submitted.
A public hearing will take place at the EBA premises on Friday 23 September 2016, from 14.00 to 17.00 UK time. In case the number of attendees exceeds capacity, the EBA may impose a restriction on the number of individuals that can attend from each organisation. Individuals are therefore requested to await confirmation of their registration, which the EBA expects to send two weeks prior to the hearing.
The EBA has developed these RTS in accordance with Article 98 of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which requires the EBA to issue RTS ensuring an appropriate level of security for payment service users and payment service providers.