The revised Payment Services Directive (PSD2) foresees that the European Banking Authority (EBA) will develop Regulatory Technical Standards (RTS) on strong customer authentication (SCA) and secure and common communications (Article 98 of the PSD2). Due to the large number of comments made during the consultation of these RTS the EBA has not yet published its proposal and the market is still waiting for final guidance.
One of the major questions the payments industry is dealing with is in what cases an exemption from strong customer authentication can be made, as well as what party can be allowed to make the decision whether an exemption shall be applied: The Account Servicing Payment Service Provider (AS PSP) or the Payee and its service provider. We see that some Merchants and acquirers are making claims to EBA that a results-oriented and technology-neutral risk-based approach should be included in the SCA RTS as applying strong customer authentication, and that SCA would be in contradiction to a good user experience and have a negative influence on the deployment of e-commerce in the digital single market.
Even if this might have been the case in the past, today’s new innovative technologies allow to combine a good user experience with a high level of security. Therefore, a better strategy might be to accept that strong customer authentication will come and that it is the only feasible approach to secure payments in a complex ecosystem with many different players involved in the processing of payment transactions.
The most advanced and user-friendly solution for strong customer authentication would be an authentication procedure linked to a natural person that could be used in all payment services related to different accounts held by AS PSPs. In this case, the AS PSP would rely on authentication procedures provided by third parties, such as, for example, trust service providers compliant with the European eIDAS regulation.
The acceptance of server based (qualified) electronic signatures for strong customer authentication would have the following advantages:
- The security dilemma of man-in-the-middle attacks will be resolved.
- Dispute resolutions will be more predictable for all parties with qualified electronic signatures regulated by law than with bilateral agreements.
- It will lower the market entry threshold for service providers offering e-mandate services, as they are not dependent on the good will of AS PSP or reciprocal (4 corner) business models the banking tradition is founded on.
There are more and more market solutions linking a user friendly bilateral authentication procedure to the generation of server based signatures that can be verified by third parties. With the need to migrate to new authentication procedures, AS PSP should evaluate whether accepting eIDAS compliant (qualified) electronic signatures for the authorization of e-mandates and online credit transfers is the best long term strategy.