Client Alert Client Alert

PSD2: EBA consults on strong customer authentication and common secure communication

PSD 2 and EBA PSD2 entered into force on 12 January 2016 and will replace the current Payment Services Directive (in force since 2007) as of 13 January 2018. Under PSD 2, EBA has a role to develop (in close cooperation with the European Central Bank) a range of draft regulatory technical standards (RTS) specifying, amongst other, the requirements of strong customer authentication and the exceptions thereto.
Security of payments under PSD 2 PSD 2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment services providers (PSPs). PSPs will be bound to apply strong customer authentication when a payer initiates an electronic payment transaction. Strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction and is based upon the use of two or more elements categorized as:

  • knowledge (something only the user knows, e.g. a password or a PIN);
  • possession (something only the user possesses, e.g. the card or an authentication code generating device); and
  • inherence (something the user is, e.g. the use of a fingerprint or voice recognition) to validate the user or the transaction.
Certain requirements for the protection of online payments have already been implemented through the EBA’s Guidelines on the Security of Internet Payments, which was issued on 19 December 2014 and came into force on 1 August 2015. Consultation process and deadline The Consultation Paper may be found on EBA’s website at According to EBA’s press release, the deadline for the submission of comments is 12 October 2016 (no attachments can be submitted). A public hearing will take place at the EBA premises on Friday 23 September 2016, from 14.00 to 17.00 UK time.

Read the full text

Download PDF