The directive came into force in January 2016, but EU member states have until January 2018 to bring it into national law. From then on, those wishing to supply payment services will have to comply with the legislation if they want to run payments within the EU – as well as in and out of it.
Besides establishing a new, common set of standards for payments, PSD2 forces payment services to implement ‘strong customer authentication’ and it also widens the regulatory net to include services that have access to an individual’s bank account, but are not the account service provider.
The changes are being made to reflect developments in payment technology and to lessen existing security, data, and fraud concerns.
For those covered by the legislation, that really means two major challenges: working out the way they intend to meet the new requirement by 2018, then implementing that change.
While firms are obliged to meet the requirements of the directive to stay in business, the manner in which they do that is up to them. For banks – and others – that could mean ushering in a new generation of payment and authentication practice, such as fingerprint or facial recognition, as well as a new generation of security tokens and/or phrases.
It could also mean varying levels of authentication for the customer – dependent on the transaction – and figuring out how to allow customers to transact on-the-go from a number of different devices.
The big question for payment service providers is whether they are yet equipped to make those changes?