Both proposed approaches entail the risk of redundant investment by PSPs and potential confusion and inconvience for customers and e-merchants.
By following a one-step approach, it would be necessary to second-guess the outcome of the PSD2 process with the risk that PSPs would be implementing security measures which were not in accordance with the final PSD2 text. Furthermore, security requirements as per the current Council PSD2 text are quite far-reaching, going well beyond what was envisaged by SecuRe Pay (including potentially “strong transaction signing”), the implementation of which is by no means trivial. Such changes require considerable time to design, test and a deadline of 1 August 2015 does not seem to be a viable option. The implementation requires a solid legal basis and clear, well-defined requirements. The PSD2 will provide both of these.
On the other hand, the two step approach runs the risk of PSPs implementing security solutions based on the guidelines as they stand, only for these to become non-compliant when the PSD2 comes into force. This risk e.g. relates to implementing strong authentication/3D Secure-type solutions for online card payments, which potentially do not live up to the proposed strong transaction signing of the PSD2. Such a two-step approach would also risk bringing significant confusion to the e-commerce market.
Hence, it is the view of the DBA that authorities need to recognise the fact that running the PSD2 review process and implementation of the guidelines in parallel gives rise to a new situation. We firmly believe that the only viable solution for all parties involved is to postpone the implementation of the guidelines until the final text of the PSD2 is agreed, adapting the guidelines to this text – and allowing ample time for PSPs and others to implement any new requirements.