A Commission Delegated Regulation has been published in the Official Journal of the European Union. The Delegated Regulation supplements the revised Payment Services Directive with Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication.

PSD2 requires that strong customer authentication is used for accessing a payment account online, initiating a payment transaction and carrying out a transaction through a remote channel. “Strong customer authentication” means an authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

The RTS set out the requirements on Payment Service Providers to apply the strong customer authentication procedure under PSD2 and also provide detail on the exemptions from the requirements. The RTS also contain provisions to protect the confidentiality and integrity of the personalized security credentials of Payment Services Users, including requirements for masking and encryption of personalized security credentials and secure delivery of credentials, authentication devices and software to the PSU. Finally, the RTS establish common and secure open standards for communications between account servicing PSPs, Payment Initiation Service Providers, Account Information Service Providers, payers, payees and other PSPs in relation to the provision and use of payment services under PSD2.

The Delegated Regulation enters into force on March 14, 2018 and will apply directly across the EU partly from March 14, 2019 and mainly from September 14, 2019.

View the Commission Delegated Regulation ((EU) No 2018/389).