On August 12, 2016, the EBA published a consultation paper on draft RTS specifying the requirements of strong customer authentication and secure communication under the revised Payment Services Directive (known as PSD2). PSD2, which will apply from January 13, 2018, requires payment service providers to apply strong customer authentication measures where the payer: (i) accesses its payment account online; (ii) initiates an electronic payment transaction; and (iii) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

The proposed draft RTS supplement this requirement by outlining a framework for the protection of consumers and payment service providers. The proposed draft RTS outline requirements for: (i) strong customer authentication and exemptions from those requirements; (ii) security measures to protect the confidentiality and the integrity of the payment service users’ personalized security credentials; and (iii) common and secure open standards of communication between account servicing payment service providers, Payment Initiation Services providers, Account Information Services providers, payers, payees and other payment service providers, including imposing an obligation on payment service providers to ensure that data on personalized security credentials are masked when displayed and are not readable in their full text during all phases of the authentication procedure. Responses to the consultation are due by October 12, 2016.

The consultation paper is available at:

www.eba.europa.eu/documents/10180/1548183/Consultation+Paper+on+draft+RTS+on+SCA+and+CSC+%28EBA-CP-2016- 11%29.pdf.