PSD2 Services - WHAT is it?
In 2007 EC adopted the original Payment Services Directive (‘Directive 2007/64/EC’ or ‘PSD’) to regulate payment services and payment service providers with an aim to increase market competition and stimulate joining of new players in payment industry throughout the EU and EEA enabling faster payments whilst protecting end consumers and increasing their rights with regards to transaction refunds and information transparency.
PSD2 is a revised directive which was adopted in October 2015 and came into force on January 13th 2018 prescribing new rules to promote adoption of new payment technologies, especially for online and mobile payments, better protect end consumers and enable third-party providers to manage finances of bank customers, both consumers and businesses, by using open APIs which banks are mandated to provide as means of access to their customers’ accounts.
PSD2 also introduced a set of technical standards on strong customer authentication and common and secure communication under Directive 2015/2366 (PSD2) known as Regulatory Technical Standards (RTS). These standards set technical requirements towards measures for the application of strong customer authentication and its exemptions, confidentiality and integrity of the customers personalized security credentials and common open standards of communication (APIs).
WHEN do I need it?
PSD2 came into force on January 13th 2018 which means involved parties are mandated to enable the “access to accounts” services, except for the security measures outlined in the RTS which are now in a “transitional” period. Payment service providers and other market players need this transition period to upgrade their payments security systems so that they meet the RTS requirements, which will become applicable 18 months after the date of entry into force of the RTS, i.e. once the RTS, subject to the agreement of the Council and the European Parliament, is published in the Official Journal of the EU, scheduled for September, 2019.
This means that the PSD2 provisions on strong customer authentication (SCA) and on secure communication, which are directly specified in the RTS, will not apply immediately, i.e. the application of security measures in Articles 65, 67 and 97 of PSD2 is postponed until the RTS becomes applicable. However, those parts of Articles 65, 67 and 97 that are not dependent on the RTS will apply as of 13 January 2018.
The final version of RTS was published on November 27th, 2017 thus leaving enough time to payment service providers to take action to develop a compliance strategy and implement effective security solutions for electronic remote payment transactions.