Extended PSD2 deadline: what does it mean for payment service providers?

Deadline_featured image

Deadline_head image

To give payment service providers more time to meet new guidelines and to avoid disrupting the marketplace, the FCA has announced that they will extend the PSD2 September 14th deadline by an additional eighteen months.

In this article, we’ll break down exactly what this extension means for payment service providers, and we’ll also offer a solution to the need for PSD2 compliance.

The original deadline for the latest PSD2 changes was September 14th, 2019.

Before the extension, payment service providers would have been required to implement Strong Customer Authenticationby this date, or face consequences for non-compliance. Strong Customer Authentication (SCA) refers to the requirement of two forms of customer identification before authorising a customer’s purchase.

SCA, at least for now, is only required for online transactions initiated by the consumer. This includes most online shopping transactions. Merchant initiated transactions, like recurring subscriptions, would notrequire SCA.

In short, this would help prevent cases of online fraud significantly and improve consumer security online.

SCA requires two of the following types of authentication:

  • Something a consumer has:This can be an email or phone number.

SCA component 1: Something the customer owns/has.

  • Something a consumer knows:This can be a PIN or a password.

SCA requirement 2: Something only the customer knows.

  • Something a consumer is:This refers to biometrics, like fingerprint and facial recognition.

SCA requirement 3: Something that identifies the customer through biometric data.

The majority of SCA consists of the first two components, since biometrics require specialist hardware.

Why the PSD2 deadline was extended?

Like most of the PSD2 regulations that have been rolling out since January 2018, the September 14th deadline was overly ambitious. Implementing reliable, easy to use, and secure SCA, within the allotted timeline, was beyond the abilities of many payment service providers, especially smaller ones.

Not all payment service providers have the resources available to implement the technology necessary for SCA in such a short timeframe. In addition, SCA will be a big change for consumers too; one that would be difficult to ease them into, particularly against such a fast-approaching deadline.

Recognising this, regulators decided to extend the September 14th deadline. The goal of SCA is to strengthen the security of online transactions, notto disrupt the marketplace by locking payment service providers (and their customers) out of processing online transactions.

As such, the new deadline extension will allow payment service providers more time to deploy SCA, whilst also giving consumers time to adjust to the new changes and ID requirements.

What does this mean for payment service providers?

The extension means thatpayment service providers now have until March 2021 to be PSD2-compliant, which gives them a substantially increased timeframe to meet new guidelines.

The deadline extension should however be seen as more of a ‘grace period’, as payment service providers are still expected to be working towards SCA compliance by September 14th. The extension is to simply allow for more time to continueworking on PSD2-compliance, notto postpone startingthe process.

Essentially, the key difference now is that payment service providers will not be punished for failing to reach SCA compliance by September, so long as they are able to demonstrate that they are alreadyinvesting into meeting the relevant guidelines.

In turn, this gives them an additional eighteen months to implement a secure and reliable form of SCA for their customers, rather than rushing to have anyform of SCA in place as a means of avoiding consequences.

As a result, this extension will benefit both payment service providers and customers alike, providing that the service providers are actively on the path to eventual compliance.

Using the extended deadline to prepare for PSD2

Before the deadline extension, many payment service providers were faced with having to implement SCA in anyform… rather than implementing it as effectively as possible.

Why? Because without SCA, payment service providers would risk losing customers for failing to meet the PSD2 deadline, making anySCA solution favourable to none.  

Now that the deadline has been extended however, payment service providers can take advantage of this period to implement the right form of SCA for both themselves and their customers.

For example, there is now more time for payment service providers to create a secure system, more time for customers to prepare for upcoming changes, and more time to make any of the adjustments needed for SCA compliance.

Know the risks of PSD2

Whilst PSD2 intends to increase both the security and convenience of the industry, many of the required adjustments are inherent risks for how they change the existing system.

For example, one of the most concerning risks associated to PSD2 is that it requires ‘open banking’, which means that banks must make their information accessible to authorised third-party services.

This potentially leaves payment service providers susceptible to unauthorisedparties potentially gaining access to sensitive and confidential information.

Additionally, there is also the risk of SCA itself.

Namely, one of the most common forms of SCA are one-time passwords (OTPs). OTPs are short codes sent to a person's email or mobile phone, after a customer has entered a password or PIN.

This conforms to the ‘something a person has’ security requirement, as the customer would need access to their phone or email to gain access to their account.

The issue with OTPs however, is that anyone who intercepts an OTP can abuse SCA, and it's much easier to do that than you might think.

One of the most common (and increasingly popular) forms of OTP fraud is SIM swapping, where a person's phone number is ported to the hacker's phone, giving them access to the victim's OTPs.

Conclusion

The deadline extension is great news for payment service providers all across the EU, as it offers an increased timeframe to provide customers with a stable, secure and safe form of SCA.

PSD2 White Paper

To learn more about PSD2 and transaction safety, check out our PSD2 page. Or download it as an eBook.

And if you're looking to fast-track your way to SCA compliance, whilst still maintaining security during the PSD2 changes: consider partnering with a trusted security partner like us here at JT.

With endless experience in the industry, JT can provide you with a security solution that is right for you. Click here to learn more about exactly how we can help you.