Consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
- Consultation
- 12 OCTOBER 2016
- EBA-CP-2016-11
The European Banking Authority (EBA) published today a Consultation Paper on draft technical standards on strong customer authentication and common and secure communication under the revised Payment Services Directive (PSD2). These technical standards will ensure appropriate levels of security, while at the same time maintaining fair competition between all payment service providers and allowing for the development of user-friendly, accessible and innovative means of payment.
Directive (EU) 2015/2366 on payment services in the internal market (PSD2) entered into force in the European Union on 12 January 2016 and will apply as of 13 January 2018. The PSD2 has conferred 11 mandates on the EBA, one of which relates to the development, in close cooperation with the European Central Bank (ECB), of draft Regulatory Technical Standards (RTS) on strong customer authentication and secure and common communications (Article 98 of the PSD2).
In order to receive early input into this work, the EBA published a Discussion Paper in December 2015, which received 118 responses. The resulting RTS set out a harmonised framework aimed at ensuring an appropriate level of security for consumers, as well as Payment Service Providers (PSP). The RTS propose the adoption of effective and risk-based requirements, which will secure and maintain fair competition among all PSPs, and allow for the development of user-friendly, accessible and innovative means of payment.
The requirements cover strengthened customer authentication, enhanced protection of user’s security credentials and common and secure open standards for communications between the various types of providers in the payments sector.
Consultation process
Responses to this Consultation Paper can be sent to the EBA by clicking on the "send your comments" button on the website. Due to the large number of responses to be expected, and because of the limited time available for the EBA to review the responses, the EBA is unfortunately not in a position to accept submissions of documents or electronic files.
All contributions received will be published following the close of the consultation, unless requested otherwise. Please note that the deadline for the submission of comments is 12 October 2016.
A public hearing will take place at the EBA premises on Friday 23 September 2016, from 14.00 to 17.00 UK time. In case the number of attendees exceeds capacity, the EBA may impose a restriction on the number of individuals that can attend from each organisation. Individuals are therefore requested to await confirmation of their registration, which the EBA expects to send two weeks prior to the hearing.
Legal basis
The EBA has developed these RTS in accordance with Article 98 of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which requires the EBA to issue RTS ensuring an appropriate level of security for payment service users and payment service providers.
Responses
The form is now closed.
Received responses to the EBA
- 1. Luxembourg Government IT Center
- 2. ING Bank NV
- 3. Prudentiz
- 4. French Banking Federeration
- 5. Optima Consultancy
- 6. Tink AB
- 7. The European Card Payment Association
- 8. Accenture
- 9. PayPal
- 10. Ecommerce Europe
- 11. Icon Solutions Ltd
- 12. European Payments Council (EPC)
- 13. Yodlee, Inc.
- 14. Bitkom e.V.
- 15. European Payment Institutions Federation
- 16. Token
- 17. UniCredit
- 18. FIDO Alliance
- 19. Government Digital Service, UK Cabinet Office
- 20. Societe Generale Group
- 21. Joint response from Payments UK, Financial Fraud Action UK and The UK Cards Association
- 22. Galitt
- 23. European Cards Stakeholders Group
- 24. IKEA Group
- 25. IdenTrust
- 26. Intive
- 27. Romanian Banking Association
- 28. SAS NUMERICOMPTA
- 29. European Banking Federation
- 30. VASCO Data Security
- 31. Informed Risk Decisions Ltd
- 32. Interessengemeinschaft Kreditkartengeschäft
- 33. JACCOO
- 34. EMOTA European eCommerce and Omni Channel Trade Association
- 35. GSMA
- 36. British Retail Consortium
- 37. AB SEB bankas
- 38. Rabobank
- 39. Intuit, Inc.
- 40. University College London
- 41. mobysign
- 42. The Ministry of Finance of the Czech Republic
- 43. European Financial Congress
- 44. Finanical API Working Group - Open ID Foundation
- 45. paydirekt GmbH
- 46. ITALIAN BANKING ASSOCIATION
- 47. Deutsche Bank AG
- 48. ESBG
- 49. Association of Credit Card Issuers Europe (ACCIE)
- 50. AFEPAME
- 51. MYPINPAD LTD
- 52. CyberSource Ltd
- 53. ASF
- 54. Verbraucherzentrale Bundesverband e.V. Federation of German Consumer Organisations
- 55. European Association of Co-operative Banks
- 56. Intesa Sanpaolo S.p.A.
- 57. The Danish Bankers Association
- 58. Fintonic Servicios Financieros, SL's
- 59. Eurobits Technologies
- 60. Quali-Sign Ltd
- 61. Federal Office for Information Security (Germany)
- 62. The German Federal Association of Payment Institutions (BVZI)
- 63. SlimPay
- 64. AFTE - French association of corporate treasurers
- 65. Korala Associates Limited (KAL)
- 66. FUGAM
- 67. iSignthis
- 68. MRC Fraud & Payments EU Ltd.
- 69. SPA
- 70. Callcredit Information Group
- 71. PAN-Nordic Card Association
- 72. GLEIF
- 73. The Royal Bank of Scotland plc
- 74. MIDAS Alliance
- 75. Raiffeisenbank a.s., Czech Republic
- 76. figo GmbH
- 77. Ministry of Industry
- 78. Febelfin
- 79. Nets A/S
- 80. Związek Banków Polskich (Polish Bank Association)
- 81. Gemalto
- 82. Vodafone Group PLC
- 83. Kontomierz.pl Sp. z o.o. ( Kontomatik )
- 84. EMVCo LLC
- 85. PaySquare SE
- 86. KOBIL Systems
- 87. Electronic Money Association
- 88. Crédit Agricole S.A.
- 89. Financial Data and Technology Association
- 90. Slovak Banking Association
- 91. Banking Stakeholder Group
- 92. Slovenská sporiteľňa, a.s.
- 93. Intercede Ltd.
- 94. German Banking Industry Committee (GBIC)
- 95. Bankof Cyprus
- 96. EuroCommerce
- 97. crown holdings
- 98. OP Financial Group
- 99. Portuguese Banking Association (APB)
- 100. BEUC, The European Consumer Organisation
- 101. worldline
- 102. Norwegian University of Science and Technology (NTNU)
- 103. IBM
- 104. American Express
- 105. Notakey
- 106. The Federation of Finnish Financial Services (Finance Finland, FFI)
- 107. Swedish Bankers' Association
- 108. MAIF
- 109. LSc LifeScience Consult GmbH
- 110. The Association of Foreign Exchange and Payment Companies
- 111. Ministry of Finance of the Slovak Republic
- 112. bevh - German Distance Sellers Association
- 113. Adyen
- 114. VocaLink
- 115. Groupement des Cartes Bancaires CB
- 116. Trustonic
- 117. RSA
- 118. Transpact.com
- 119. Polski Standard Płątności sp. z o.o.
- 120. Austrian Federal Economic Chamber, Division Bank and Insurance
- 121. Finect
- 122. Lufthansa AirPlus Servicekarten GmbH
- 123. Association of Foreign Banks in Germany / Verband der Auslandsbanken in Deutschland e.V.
- 124. Association of Consumer Credit Information Suppliers (ACCIS)
- 125. Avanza Bank AB
- 126. Vendorcom
- 127. Banking & Payments Federation Ireland
- 128. Currence iDEAL B.V.
- 129. EPSM - European Association of Payment Service Providers for Merchants
- 130. DeBarra Innovations Limited
- 131. Visa Europe
- 132. Klarna AB
- 133. Dutch Payments Association
- 134. The Bank Association of Slovenia, Subiceva ulica 2, SI – 1000 Ljubljana, Slovenia
- 135. mooverang
- 136. Air Bank a.s.
- 137. FEDMA
- 138. Finnish Federation for Telecommunications and Teleinformatics, FiCom
- 139. van den Berg AG
- 140. Svensk Handel
- 141. EUROSMART
- 142. Citibank Europe plc
- 143. Austrian Federal Economic Chamber, Division Bank and Insurance
- 144. ABN AMRO Bank N.V.
- 145. Finance Norway
- 146. NTT DATA
- 147. UL TS BV
Documents
Consultation Paper on draft RTS on SCA and CSC
(441.67 KB - PDF) Last update 12 August 2016