Because banks, fintech firms, merchants and payments processors in the European Union have struggled to meet the Sept. 14 deadline for compliance with the new PSD2 “strong customer authentication” requirements for electronic payments, it may take awhile for European consumers to notice authentication changes.
Back in June, the European Banking Authority, an EU regulatory agency, said that “on an exceptional basis” national regulators may be able to provide limited additional time for implementation. Subsequently, regulators in the U.K. announced in August they were delaying enforcement of the authentication requirements by 18 months – but only for online payments within the U.K.
In a statement, the Financial Conduct Authority, a regulator in the U.K., said: “All parties involved in card-not-present transactions, both FCA regulated and unregulated, should continue to work together over the next 18 months to ensure the smooth and timely implementation of SCA [strong customer authentication] by 14 March 2021 and the third parties should make every effort to move to API access where available as soon as possible during this period.”
The Hurdles to Overcome
Security experts say many banks are not ready to comply with the PSD2 strong customer authentication requirement because they face technical and operational challenges as well as budgetary constraints.
“The bottlenecks for banks to comply with the PSD2 standards are the complexity of requirements owing to the competing environments of the third parties, particularly in the context of potential deployment of APIs, identity and security,” says Gavin Littlejohn, chairman of the Financial Data and Technology and Association, a global association for financial services companies.
Michael Lynch, chief strategy and product officer at Deep Labs, an IT services firm, says many European banks and payment service providers lack the necessary technologies to meet the authentication requirements.
“The problem is, it requires a deep understanding of technical and security components to understand and design a solution for the requirements. The banks are not geared up to provide a platform for the transaction risk analysis, leveraging data signals and new technologies such as context-aware machine intelligence.”
Lynch says that banks preparing to comply with the new mandate need to make multiple investments beyond authentication technologies, such as malware detection and secure communication via encryption.
But one of the most significant challenges, security experts say, is putting in place the necessary APIs to enable authentication transactions with merchants processors and fintech firms.