The European Banking Authority says it will relax its proposed (preposterous) PSD2 rules on a requirement for strong customer authentication for all payments under €10, after receiving a huge number of complaints from industry participants who claimed that the mandate would lead to more declined transactions and abandoned purchases at the checkout.
The EBA relents on PSD2 authentication
In a speech in London on the EU’s revised Payments Systems Directive (PSD2), which is set to come into force in January 2018, EBA chairman Andrea Enria said that the proposed standards would be modified to raise the threshold to €30 for remote consumer transactions, although there would be no exemption for corporate payments – but is this enough?
“PSD2 rules were going to demand that every online and unattended transaction in Europe over €10 demanded Strong Customer Authentication (SCA) – this is essentially dynamic (i.e. non-static) two factor authentication,” says Phil Atherton, Chief Risk Officer, SafeCharge Group.
“The European Banking Authority (EBA) has decided to water down rules after what’s been described as a “lively debate”.
This debate centred on how retailers, marketplaces and payment companies and numerous others would be affected by SCA. These organisations argue that two factor authentication would prove onerous for users, resulting, they argue, in a devastating effect on their businesses. One-click checkouts would become a thing of the past, many more purchases will be declined, and queues at tollbooths will be overwhelming.
This debate included 224 responses to the EBA’s consultation, the highest number of responses the EBA has ever received. It described these responses as “wide and representative”. The whole payments and ecommerce industry had something to say, and the EBA decided to raise the limit for SCA, and provide for some exceptions.
Raising the limit from the proposed €10 to €30 is welcome (even though it’s unclear how this will apply to the UK). As is the exception for those using transaction risk analysis – but many questions remain how this exception will be implemented.
We know that risk analysis is the most effective way to beat fraud, but proving that a particular system works will only add to an already heavy reporting burden on companies. What will be seen as an acceptable level of fraud? What minimum standards will need to be met in order to have an acceptable risk analysis system? How will the ongoing, 18-month assessment of these systems be carried out? How will this apply to services such as Amazon’s one-click ordering?
The proposals are very vague indeed – especially when compared to the proposed transaction limit for two-factor authentication. Far more detail is needed before the industry can decide if this change is an improvement or just an added complexity to already-convoluted regulation.
The SCA element of PSD2 has massive and far reaching ramifications. Those with a stake should keep a close eye on the details, when the EBA decided to reveal them. The lively debate is certainly not over, it may in fact, just be getting started,” Atherton concludes.