PSD2: Making security regulations straightforward

alt text

The payments and e-commerce industries are buzzing about the revised Payment Service Directive (aka PSD2). And there’s still plenty of debate going on around this topic.

The PSD2 local implementation period expired last January. However, stemming from that Directive there are Level 2 legal instruments that are still not applicable and whose corresponding requirements are often unclear for most stakeholders.

The Commission Delegated Regulation (CDR) on Strong Customer Authentication (SCA) and Secure Communication Channels (SCC)[1] stands out for the large impact it will have for the entire payments value chain. Its final version was published in the Official Journal of the European Union on March 13, 2018. To mitigate its lack of clarity, three months later, the European Banking Authority (EBA) issued an Opinion[2] and created a Q&A tool, where industry stakeholders could raise requests for further clarification. We’ve put together some of the most important and controversial insights on PSD2 requirements focusing on security – take a look below.


Most of the requirements refer to the exemptions from mandatory two-factor authentication (2FA). This is primarily based on the amount, the channel, the party initiating the transaction (payer vs. payee), the customer-created whitelists, and the combined fraud level of the service providers applying for the exemption (known as Transaction Risk Analysis, or TRA).  From these requirements, the TRA and the exemption for recurring transactions are especially important. The current scope of recurring transactions only covers recurring payments to the same payee and amount. This is widely challenged by the industry, as it would exclude common scenarios such as utility and phone bills.

Open Banking

Another set of requirements refers to SCC. Through the CDR, PSD2 mandates banks to open their systems to third-party providers (TPPs) for account information, payment initiation and confirmation of funds via access interfaces such as Application Programming Interfaces (APIs). SCC requirements establish the rules governing the interaction between the Account Servicing PSPs (known as the ASPSPs – the ones providing bank account facilities) and TPPs, who initiate a payment on behalf of a payer and that have so far rendered this service using the customer virtual banking interface (what is also known as “screen scraping”).

Under the new requirements, ASPSPs can establish a dedicated interface for TPPs where they can only access a limited amount of information—basically all they need to perform the service. Such an interface will have to meet certain requirements that are drafted by the EBA on future Guidelines[3]. If ASPSPs fail to meet these requirements, they have to offer a fallback option that allows TPPs to render their services through the customer interface.

The struggle within payments 

Both SCA and SCC requirements pose an ongoing challenge within the payments ecosystem. Traditional players and the many new fintech startups are constantly in a race to innovate and get their piece of the pie. This leads to increased competition within the industry and lower pricing.

The ongoing competition within the payments realm stimulates each operator’s ambition to come up with better and more innovative solutions to meet the changing needs of merchants and end consumers. It will be interesting to see what this fascinating world of payments will look like in the next few years, and how all players will push to keep up with the pace of modern consumers.

This race doesn’t look like it will end anytime soon. Policy makers and authorities will need to liaise with various stakeholders to understand the different viewpoints and needs so their regulatory oversight is a balance of increased competition, safety and consumer protection.


[1] COMMISSION DELEGATED REGULATION (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication.

[2] EBA-Op-2018-04: Opinion of the European Banking Authority on the implementation of the RTS on SCA and CSC.

[3] EBA/CP/2018/09 (dated 13 June): Consultation paper on Draft Guidelines on the conditions to be met to benefit from an exemption from contingency measures under Article 33(6) of Regulation (EU) 2018/389 (RTS on SCA & CSC).

The author

Ignacio is our VP, Regulatory Affairs. In this role, he’s responsible for regulatory affairs and advisory compliance. Moreover, Ignacio also handles external engagement and public affairs on behalf of Payvision as a Payment Institution. In doing so, he represents the company in front of trade associations, policy making authorities and regulators such as the European Payment Institutions Federation (EPIF), where he sits on the Executive Board.

Related posts

RiskConnect 2019

Throwback to RiskConnect 2019

The event started with a fascinating keynote from the investigative journalists who worked on the Panama Papers case. Even though a case of this magnitude was exposed, they argued, the story isn’t over. They expect to see more such cases in the future, which means that risk management professionals and regulators need to be more vigilant than ever.

2 min read

Flashback to MPE Berlin 2019

Known as the payments industry’s knowledge hub, MPE Berlin is always the place to be when looking to get fresh insights, check in with merchants and exchange best practices with peers.

2 min read
Payvision_Payment regulations and trends on the horizon – a look back at MPE Berlin 2018

Payment regulations and trends on the horizon at MPE Berlin 2018

Attending MPE Berlin has become a tradition for us. It’s the way we start the year out right.

5 min read