On September 14, 2019, regulatory technical standards on strong customer authentication take legal effect across the EU. The standards are secondary legislation accompanying the revised Payment Services Directive (PSD2) that, for much of the industry, mark the most important part of the reforms.

Once in effect, the standards will require two-factor authentication on every online card transaction unless an exemption can be used, as part of the EU’s strategy to cut payment fraud. Although several exemptions are available — some relate to the transaction value, the risk involved, the provider’s fraud rates, whether the payer has listed the recipient as a trusted beneficiary and so on — authorities have emphasised that strong authentication should become the norm.

However, there are widespread concerns among acquirers, issuers and retailers about the impact of the reforms. Industry groups have argued that a drip-feed of information and clarification from European authorities over recent months has effectively meant payment providers — and their suppliers — are not yet ready to comply with the standards in a customer-friendly way. They argue that the added friction caused by relatively clunky two-factor authentication checks could cause transaction abandonment to soar, stifling Europe’s e-commerce sector.

After intense lobbying, the European Banking Authority (EBA) issued an opinion in late June acknowledging those concerns.

Although it said moving the September deadline would not be possible, it decided to let member state regulators agree not to enforce the standards immediately if issuers and acquirers present a “migration plan” setting out their route to compliance.

The EBA has not yet set out how long this transition period could last, although discussions are taking place with national authorities and industry representatives. Although influential payment providers and retailers have emphasised the need for a harmonised approach, some national regulators are already pressing ahead with their own interpretations of the EBA opinion.

PaymentsCompliance is tracking every member state’s response, as well as developments at EU level.