On 24 July 2013, the European Commission adopted a package of legislative measures on payments in the European Union.This proposal (PSD2) is basically a revision of the original Payment Services Directive (PSD) 2007/64/CE to enable the payment framework to better meet the needs of an effective European market by contributing fully in the areas of competition, innovation and the security of the parties involved, in particular, the consumers. The current PSD, implemented in Member States since November 2009, provides the legal base for creating a single payment market across the entire EU. The aim of the PSD is to make cross-border payments as easy, efficient and safe as internal payments made within Member States.
However, several years later, some of the PSD's provisions need to be updated to take into account, among other things, the new types of Internet payment services that have arisen in Member States, such as those offered in e-commerce. Incorporating these new services in the PSD will foster transparency, innovation and the highest security in the single market and will create a level playing field for the different types of payment service providers, which will give new players an equal opportunity. Additionally, some payment methods used in Member States, such as services for paying via mobiles and other IT devices, are regulated differently in each state, which leads to a context of legal insecurity and uncertainty with regard to the protection of the parties involved, in particular, the consumers.
The result of the review and update of the PSD is the proposal for the new Directive, the PSD2, which aims to facilitate an integrated, efficient and secure market adapted to the new and most current payment services and agents. In particular, the technical regulation for authenticating consumers is delegated to the European Banking Authority in close cooperation with the European Central Bank and other consultative entities such as ENISA. Furthermore, these recommendations are in full accord with the new eIDAS regulation on “electronic identification and trusted services for electronic transactions in the internal market”, in a clear endeavor to align efforts in the construction and regulation of technical infrastructures.
The PSD2 requires, in general, multifactor strong authentication and frees the consumer of responsibility if they were not authenticated with an adequate level of assurance. In particular, except in case of fraud or gross negligence, the consumer will not be required to pay more than €50 for unauthorized transactions charged to their account. Therefore, payment service providers must use authentication methods that guarantee that the transaction was strongly authenticated and exactly logged and recorded.For this purpose, Safelayer’s Mobile ID solution can be used as a mechanism for confirming the transaction, as it is an advanced electronic signature mechanism, very adequate and extremely user-friendly, that can also be used as a recognized signature and even scaled as a qualified signature.
Furthermore, the TrustedX Authentication Platform solution provides a versatile range of authentication methods, classified into levels of assurance, which can be used together in authentication flows that adapt to the client's behavior profile, the segment and the security risk of the transaction in question.
Lastly, the PSD2 regulates third-party payment service providers that intermediate between consumers and the banks that own the accounts of the consumers. The PSD2 requires these banks to give access to user accounts to third-party payment service providers, although they must never disclose secret information of the consumer, such as authentication credentials, and must always request consent from the user for providing information that can be considered personal or private. This can be achieved with authorization models such as OAuth 2.0 and identity federation via OpenID Connect or SAML 2.0, all standards supported by TrustedX Authentication Platform and the TrustedX eIDAS Platform, which isolate the credentials between providers and guarantee the security and privacy of the consumers.