Changes of PSD2 RTS

The European Banking Authority has released the final RTS on SCA and and safe interaction under PSD2.

04:21 07 February 2022

The European Banking Authority has released the final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and safe interaction under The Revised Payment Services Directive (PSD2). The PSD2 RTS has the potential to greatly change the landscape of payments and the whole financial market.

 

Therefore, it brought endless questions and raised frustration among those who were forced to implement it. After reviewing the first draft of RTS the financial market was left confused and in need of clarification. The final RTS addressed most of the concerns and explained the concept in more detail. Following are the 5 main aspects to know before diving into RTS implementation.

 

1. Bank Interfaces. RTS has no instructions on the actual interface that a bank should develop. It was left completely up to each bank to decide what their requirements are in means of innovation and ease of use. To avoid massive disturbance due to completely different interfaces some industry members like the Berlin Group took initiative to introduce basic standards for everyone to be somewhat on the same level. Then, the European Retail Payments Board (ERPB) gathered these groups to facilitate the progress. The standards are not elaborate, however they give a base on which an interface can be built making it easier to communicate among the industry members.

 

2. Screen Scraping. According to PSD2 RTS screen scraping is forbidden. Third-Party Providers (TPPs) when using an interface must identify themselves by digitally signing messages, which is a great leap forward. In cases where a bank provides their designated Application Programming Interface (API) TPPs are obliged to use it.

 

3. Payment security. When Payment Initiation Services (PIS) is used it is the bank's responsibility to authenticate the customer. The RTS clarified that Payment Initiation Service Providers (PISPs) must rely on the bank's infrastructure and the authentication processes. PISPs have no validation to perform their identification procedures and then forward the payment information to the bank for the final transaction. This restriction was created to prevent fraudulent activities and ensure that a customer requesting the payment is authenticated according to security requirements.

 

4. Authentication. PSD2 RTS article 4.1 states that the authentication code can be used only one time. Usually, there are no issues with this, however, TPPs can initiate multiple transactions or retrieve customer data with only one application of SCA for all series of initiated actions. Therefore, this particular article conflicts with the PSD2 requirement of SCA application only every 5th transaction from a trusted source. 

 

5. PSD2 RTS exemptions from SCA. The exemptions sector is the one that has undergone the most changes to become more efficient. There were four main alterations:

 

• When making card-free transactions the single payment value rose to 50€. It made contactless payments faster and user-friendlier. The other side of this change was the payment values. Earlier it was required to accumulate transaction values for the SCA application, however, later, five consecutive non-SCA payments were added to create a better user experience and increase customer satisfaction while maintaining the highest level of security. 
• An additional exemption for unattended transport and parking terminals were included.
• For the white list of trusted beneficiaries, the requirement of SCA was lifted. However, this exemption can only be accessed and created by the account user and PISPs has no power over it. Even more, the exemption is valid only for the digital payments made from the user's account. 
• The low-value payment amount went up from 10€ to 30€ making it fuss-free for a customer that makes frequent low-value purchases. The cumulative value of 100€ or five consecutive transactions has remained and corresponds with the contactless payment exemption. 

 

PSD2 RTS is a crucial part of creating additional value within the financial sector and increasing the levels of standardization together with development opportunities.