14 October 2021
The European Banking Authority (EBA) repealed today its Guidelines on the security of internet payments. These Guidelines were issued before the revised Payments Services Directive (PSD2) came into force in 2016 and have since then been superseded by the PSD2 and the related EBA instruments developed in support of PSD2.
The EBA issued these Guidelines in 2014 to provide details as to how provisions in the Directive that was applicable at the time (PSD1) should be interpreted for the purpose of enhancing the security of payment services, with a view to mitigating the risks from the growing payments fraud that occurred at the time.
Three years later, in January 2016, the revised Payment Services Directive (EU 2015/2366, or PSD2) entered into force, which articulates more specific requirements concerning the security of payments. The revised Directive, which applies since January 2018, also mandated the EBA to develop several legal instruments, including the Technical Standards on strong customer authentication and common and secure communication (RTS on SCA&CSC), which apply since September 2019.
As the revised Directive and the related EBA instruments incorporate, and also go beyond, the requirements set out in these Guidelines, the EBA has decided to repeal them, and asked national competency authorities to take the corresponding steps that may be necessary at a national level.