Problems With EU Payment Security Persist

The revised EU Payment Services Directive (PSD2) aims to modernize Europe's payment services. It promotes more secure payments and better consumer protection. But the new security procedures troubled some payment service providers, so tighter payment security in the EU has been postponed.

Consumers would benefit from cheaper, safer and more innovative electronic payments, so the European Commission emphasized when they presented the revised EU Payment Services Directive (PSD2). Valdis Dombrovskis, at that time vice president responsible for Financial Stability, Financial Services and Capital Markets Union said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. Consumers will also be better protected when they make payments."

On September 14, 2019, the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2) came into force. Through this, PSD2 obliges payment service providers to apply "strong customer authentication" when a payer initiates an electronic payment transaction.

Some EU Member States, such as Belgium, the Netherlands and Sweden, already used SCAs for electronic remote payment transactions, be it a card payment or a credit transfer from an online bank. In some other EU countries, some payment service providers apply SCA on a voluntary basis.

Under PSD2, banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

"Creating security in e-commerce is a continual process," says Markus Schaffrin, security expert at eco – Association of the Internet Industry. "The rules of the PSD2 are a good way of making sure that customers do not need to fear identity theft or having their payment details abused."

The Commission Delegated Regulation (EU) 2018/389 also assists in the security of payments that are carried out in batches. This is the way most corporations make payments, rather than one by one. The new rules also take into account host-to-host machine communication, where, for example, the IT system of a company communicates with the IT system of a bank to send messages for paying invoices.\r\nAlthough the European Commission called on all EU Member States to ensure speedy and full implementation of all these rules, some stakeholders are still working to put these technological and practical changes in place.

The European Banking Authority (EBA) acknowledged the challenges experienced by some stakeholders in introducing SCA fully by September 14. The EBA therefore adopted an Opinion allowing national supervisors to enforce the new SCA rules for online payments by cards with a degree of flexibility, granting, where necessary, "limited additional time" to migrate to compliant authentication methods. Consumers should continue to pay as normal in Member States that decide to take advantage of this flexibility. At the end of this period of time, consumers will be asked to perform the two-factor strong customer authentication, unless an exemption applies.

The German digital association Bitkom has expressed relief that the financial supervision does not want to consistently enforce the new rules applicable from September 14 on online card payments due to the existing implementation problems. At the same time, Bitkom recommends extending this transitional period to 18 months in the case of "strong customer authentication". This period would be necessary and sufficient to ensure implementation for payment services, technical service providers and retailers. In addition, the transitional period would allow the necessary tests of the new payment routines.

On October 16, 2019, the European Banking Authority (EBA) published the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The deadline has been set to December 31, 2020.\r\nWhile the payment service providers welcome the long transition period, the customers are still waiting for more payment security in the EU. The new payment study by the Bundesverband Digitale Wirtschaft (BVDW) e.V. has shown that 64.4% of Germans do not want to restrict their shopping behavior in online shops despite the EU's new Payment Services Directive (PSD2). Additionally, 13.1% of respondents (n = 1,047) welcome the new heightened security measures and want to shop even more online.

According to a new representative study by the German Gesellschaft für Konsumforschung (GfK), 45% of consumers think the introduction of the new EU regulation is a good thing. Although online shoppers still have to get used to the new procedures of their card-issuing banks and savings banks, the new regulation brings significantly more security.

"We expect biometric authentication to become more important with two-factor authentication, and many smartphone owners are already using their fingerprint or face recognition feature to unlock their mobile phone," said Peter Bakenecker, division president for Germany and Switzerland at Mastercard. "In particular, purchases with mobile devices can be completed safe and convenient with just one click, without having to enter an unwieldy password or a PIN during the payment process."

But some customers will have to wait for the better payment security in the EU, maybe until the end of 2020, while in some EU countries and many countries outside the EU the strong customer authentication already works without any problems.

— Oliver Schonschek, News Analyst, Security Now