Home » Payments - Bill Collection » SEPA Payment Structure & Services

9 facts to clarify how PSD2 will affect security and e-payments

The European Commission has published a fact sheet on the revised Payment Services Directive (PSD2), explaining how the new legislation, which comes into effect from 13 January 2018, will pave the way for innovation in electronic payments and will enable a safer payments environment for consumers and businesses.

Here are some of the key facts about PSD2:

  1. The objectives of PSD2 are to give consumers more and better choice in the EU retail payment market, as well as to facilitate innovation, competition and efficiency. It will also introduce higher security standards for online payments. The directive also applies to new providers in the market, such as fintechs.
  2. PSD2 will become applicable as of 13 January 2018, except for the security measures outlined in the RTS. These will become applicable 18 months after the date of entry into force of the RTS. Subject to the agreement of the Council and the European Parliament the RTS is due to become applicable around September 2019.
  3. PSD2 will enhance security for electronic payments by making strong customer authentication (SCA) the basis for accessing one's payment account, as well as for making payments online. This means that to prove their identity users will have to provide two of the following three elements: something they know (a password or PIN code); something they own (a card, a mobile phone); and something they are (biometrics, e.g. fingerprint or iris scan). Some EU countries already apply SCA and others do so voluntarily, so PSD2 will bring all countries in line on this issue.
  4. PSD2's regulatory technical standards (RTS) allow for some exceptions to the rules on SCA to avoid customer disruption – but payment service providers first have to apply mechanisms for monitoring transactions to assess if the risk of fraud is low.
  5. SCA will become mandatory from September 2019.
  6. PSD2 also covers corporate payments, which are usually done in batches. The legislation takes into account host-to-host machine communication, where for example the IT system of a company communicates with the IT system of a bank to send messages for paying invoices. Security mechanisms for this type of communication systems can be as effective as strong customer authentication. Therefore, they can benefit from an exemption from the SCA, if this is approved by national supervisors.
  7. PSD2 establishes a framework for new services linked to consumer payment accounts, such as the so-called payment initiation services and account information services. This means that consumers and companies will be able to grant access to their payment data to third parties providing payments-related services (TPPs) – and banks will have to put in place a communication channel that allows TPPs to access the data that they need.
  8. Personal data processed by TPPs will be protected by the General Data Protection Regulation (GDPR), which comes into force from May 25 of 2018. No data processing can take place without the express agreement of the consumer and, in addition, payment service providers can only access and process the personal data necessary for the provision of the services the consumer has agreed to.
  9. TPPS won't be allowed to access the customer's data through the use of 'direct access' or 'screen scraping', whereby an authorised third party provider can access data through the customer interface with the use of the customer's security credentials, without any further identification through the bank interface.

This item appears in the following sections:
Payments - Bill Collection
SEPA Payment Structure & Services
Payments - Collecting at POS
Card Payments at POS
Collecting Payments on the Internet
Collecting Payments via Mobile
Payments - Making
Paying Suppliers

Also see


No comment yet, why not be the first?

Add a comment