European Union’s Revised Directive on Payment Services (known as PSD2) came into effect in early 2018, but market stakeholders are more familiar with its hard deadline set on 14 September, when the Regulatory Technical Standards (RTS), which define the technical specifications for strong customer authentication (SCA) and secure open standards of communication, should be put in place.
After this date, all payment service providers (PSPs) operating on EU market must provide stronger customer authentication (SCA) every time a user wants to connect to his/her online payment accounts or initiate an electronic payment transaction. In addition, PSPs also have to securely allow third-party providers access to the accounts of those who initiate payments.
Earlier this year, more and more concerns were raised questioning the state of preparedness of the sector to comply with the new regulatory requirements. Facing increasing pressure, the European Banking Authority (EBA) published on 21 June 2019 an opinion, acknowledging the complexity of changes required and allowing, “on an exceptional basis”, national competent authorities (NCAs) to “work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time.”
In Luxembourg, for some of those still working towards meeting SCA mandatory standards, the NCA CSSF’s (Commission de Surveillance du Secteur Financier) official statement released on 30 August, came as a relief. Reflecting the opinion of EBA, CSSF grants more time to e-commerce sector to complete the SCA implementation past the 14 September deadline.
This added flexibility does not come without conditions:
- This exemption concerns only to the category of e-commerce card payment transactions, i.e. the online payments performed with a credit/debit card. The other types of online transactions (between bank accounts for example) are not exempted.
- Those who want to take advantage of this delay need to inform CSSF and provide a detailed migration plan which should include “among other things, the entity’s planned communication initiatives to inform and involve its merchants and/or users (consumers and businesses) in the migration to SCA” (CSSF’s official press release).
While this extension is a breath of fresh air, e-commerce businesses and providers should be careful not to lose momentum and continue their efforts to achieve RTS compliance as soon as possible. After all, the legal deadline for complying with PSD2 remains the 14 September and the extension period (albeit not yet precisely defined) will have its limits. In the meantime, the countdown is still on…
LuxTrust can enable you become compliant with PDS2. We are a qualified trust service provider (QTSP) in the EU Trusted List and eligible for issuing the mandatory Qualified Electronic Seals and Qualified Certificates for Website Authentication (QWAC) required by PSD2’s RTS. Find out more about our PSD2 solutions here.
*Disclaimer: The above represents LuxTrust understanding of the relevant regulation and should not be taken, relied on or interpreted as a legal opinion. Customers are encouraged to seek independent legal advice before acting on this information.