The Commission today adopted rules that will make electronic payments in stores and online more secure. This will also allow consumers to take advantage of easier, cheaper and more innovative solutions offered by payment service providers.
These rules implement the recently revised Payment Services Directive (PSD2) aimed at modernizing payment services in Europe. This will keep pace with the rapidly changing market and allow the European e-commerce market to flourish. The rules adopted today will allow consumers to use innovative services offered by third parties, also known as fintech companies. At the same time, it ensures that the data of consumers and businesses in the EU is carefully protected and secured. These services include payment solutions and personal finance management tools that aggregate information from different accounts.
Vice-President Valdis Dombrovskis, responsible for Financial Stability, Financial Services and Capital Markets Union, said, "These new rules are a guide to help all market players, both existing and new, offer better payment services to consumers. At the same time, the security of those services will be ensured.
A core objective of PSD2 is to increase the level of security of electronic payments and trust in them. For example, PSD2 requires payment service providers to develop strong customer authentication. The new rules provide strict, integrated security requirements to significantly reduce payment fraud and protect the confidentiality of users' financial data. This is particularly important for online payments. For this, the new rules require the use of at least two independent elements prior to payment, for example a physical object (a bank card or cell phone) combined with a password or a biometric identifier, such as a fingerprint."
Furthermore, PSD2 provides a framework for new services related to consumers' payment accounts, such as so-called payment initiation and account information services. These innovative services are already offered in many EU countries, but thanks to PSD2, consumers across the EU will have access to services that meet stringent security requirements. The rules specify exactly what requirements the common and secure standards for communication between banks and fintech companies must meet.
After the Commission adopts the regulatory technical standards, the European Parliament and the Council have three months to review them. After the review period ends, the new rules will be published in the Official Journal of the European Union. Banks and other payment service providers then have 18 months to implement the security measures and communication tools.
Background
The regulatory technical standards adopted today were developed by the European Banking Authority in close cooperation with the European Central Bank. They define exactly how strong customer authentication should be applied.
In most cases, it will no longer be sufficient to simply provide a password or the details on a credit card when making a payment. In certain cases, in addition to the two other independent elements, a code must be provided that applies only to a particular transaction. The goal is to reduce fraud in all payment methods, and especially online payments, and to protect the confidentiality of users´ financial data.
However, the rules also take into account that in some cases an acceptable level of payment security can be achieved in other ways than using the two independent elements required for strong customer authentication. For example, payment service providers can obtain an exemption if they have developed a method to assess transaction risks and identify fraudulent transactions. Exemption is also possible for contactless payments, small amounts and certain types of payments, such as those involving public transportation cards or parking fees. These exemptions allow payment service providers to provide payment convenience without compromising payment security.
The rules also specify the obligations that banks and providers of innovative payment solutions and account information tools must meet. If consumers want to use such new services, their bank must not prevent them from doing so. All banks offering online access to accounts must also cooperate with fintech companies or with other banks providing such new services. To this end, banks must provide secure communication channels used for sending data and making payments.
Consumers benefit from the new rules, which provide more choice and competition in paying for goods and services purchased online. In addition, they can manage their personal finances more efficiently through applications that aggregate information from accounts at different banks.
Learn more
