PSD2: Stronger Authentication System in digital payments

Article

PSD2: Stronger Authentication System in digital payments

On September 14, 2019, the Commission Delegated Regulation (EU) 2018/389 will enter into force, supplementing the Directive (EU) of the European Parliament and of the Council as regards regulatory technical standards for strong customer authentication and common and secure open communication standards, also known by its acronym PSD2.This complies with the mandate given by the Directive and included in our Royal Decree 19/2018, of November 23, on payment services and other urgent measures in financial matters through which the former is transposed, to implement a reinforced authentication system in payment transactions where there is a risk of fraud, The ultimate aim is to build and consolidate a single, efficient internal market within the European Union in which there is genuine freedom of movement of goods, services, workers and capital, and in which consumers and users enjoy a high standard of protection.From this date, when electronic payments are to be made (those where a bank account or credit card is not used), the payment service provider must generate an authentication code based on one of the following three elements: knowledge (something that the user only knows), possession (something that the user has) and inherence (something that only the user is the user of such as biometric data of the user); this protocol which is known in the jargon as "3D Secure" will be used by the payment services user to identify himself as such and verify the transaction; furthermore, the authentication code must be limited to a certain number of failed attempts and will have a limited duration not exceeding a maximum of five minutes.On the other hand, in remote electronic payment transactions (those initiated through the Internet or a device that can be used for remote communication), enhanced authentication security will be increased by linking the payment transaction to a certain amount and user that must be known both by the user and by the beneficiary of the transaction; however, these requirements will not apply to any payment transaction, and a catalog of exemptions will be included in which, either because of their purpose or at the initiative of the payment user, enhanced authentication will not be required. Thus, by way of example, contactless payments at the point of sale for amounts not exceeding fifty euros are exempt, provided that the total amount of transactions for which enhanced authentication has not been required does not exceed one hundred and fifty euros and the number of five transactions is not exceeded. It is precisely this amount that a payer has to bear as a loss in the event of payment fraud committed by theft, robbery or card fraud.In short, although the set of measures consisting of the reinforced authentication must be applied by the payment service providers, the fact is that as from September 14 any company operating through the Internet must implement this system in their payments, either directly by them or through a payment service provider; otherwise the payment will be subject to rejection by the payment service provider or by the payer himself.

Hortensio Santos (T&L Lawyer)