PSD2 Authentication Deadline Needs to Be Firmed Up - NowEuropean Banking Authority Should Act Quickly to Adopt Uniform Timeline for All EU Nations
Most European nations have delayed enforcement of the "strong customer authentication" requirements for online transactions under the European Union's PSD2 regulation, creating uncertainty about the deadline for compliance. (See: PSD2 Authentication Requirements: Implementation Hurdles)
About 20 countries have either acknowledged or announced that a temporary extension is necessary, although they have not fully defined the length of the delays. The moves came after many organizations regulated under PSD2 said they needed more time to move to multifactor authentication.
"While the EBA figures out a new enforcement game plan, organizations involved in online payments need to get their act together, working with their clients and regulators to ensure that they are moving in the right direction to achieve the required strong customer authentication."
A spokesperson for the European Banking Authority, which oversees PSD2, tells me that it's working with banks, payment service providers and trade and consumer associations across the EU to get updates on compliance readiness. Based on those responses, it will announce revised plans for enforcement in all 28 EU nations, which had been scheduled to begin on Sept 14.
The EBA needs to act quickly in setting a new enforcement deadline to make sure all the players involved, including banks, payment processors, fintech companies and merchants, take compliance seriously, which will help ensure the security of online payments.
Countries Affected with SCA Delay
Netherlands-based Adyen Research, a global payment company, says that just 22 percent of retailers in UK were ready to comply with the new PSD2 authentication requirements by the original Sept. 14 deadline.
"The intention for the delayed implementation was to simplify the equation for businesses, but the reality is far from simple for anyone selling across borders," says Myles Dawson, Adyen's U.K. managing director. That's because it's not yet clear what each nation's compliance timelines are, especially since only 20 of the 28 EU nations have indicated a delay.
Time to Get Ready
While the EBA figures out a new enforcement game plan, organizations involved in online payments need to get their act together, working with their clients and regulators to ensure that they are moving in the right direction to achieve the required strong customer authentication.
Andrew Cregan, payments policy adviser at the British Retail Consortium, says, that an18-month delay in enforcement, now under consideration, would give retailers and banks time to put in place the necessary technical fixes required and minimize any disruption in online transactions, reports Internetretailing.net.
William Hugh Murray, a U.S. security consultant, argues that there's no reason for the various players to further delay moving to stronger authentication for online payments.
"The ubiquitous mobile has made it [strong authentication] relatively easy and inexpensive, and as is often the case, inertia and convenience trump security," he tells me. "If anything, PSD2 is late, not early."
Andrew Hewitt, director of payment and data solutions at FIS, a global financial technology outsourcing firm, tells Euromoney: "Allowing each national authority to do their own thing when cross-border transactions are so commonplace is not ideal, and the EBA could also have issued guidelines earlier."
Further delays in the move to stronger authentication are inadvisable because consumers deserve an enhanced and secure online purchasing experience, argues Jason Tooley, chief revenue Officer at Veridium, a multifactor authentication solutions provider.
Clearly, it's urgent that EBA adopt a uniform enforcement deadline throughout Europe as soon as possible to make sure compliance isn't too complex and online payment security is enhanced -sooner rather than later.