PSD2: Reinforced Authentication System in digital payments

4/10/19

PSD2: Reinforced Authentication System in digital payments

On September 14, 2019, the Commission's Delegated Regulation (EU) 2018/389, which complements the Directive (EU) of the European Parliament and the Council, will come into force with regard to regulatory technical standards for strong customer authentication and common and secure open communication standards, also known by its acronym in English PSD2.It thus complies with the mandate given by the Directive and set out in our Royal Decree 19/2018, of November 23, on payment services and other urgent measures in the field of payment services financial, through which it is transposed, of implementing a reinforced authentication system in payment transactions in which there is a risk of fraud, particularly in remote electronic payments, and all this with the ultimate objective of building and consolidating a single and efficient internal market within the European Union in which there is true freedom of movement of goods, services, workers and capital, and in which the consumer and user enjoy a high standard of protection. As of this date, when they are to be carried out electronic payments (those in which a bank account or credit card is not used) the payment service provider must generate an authentication code based on one of the following three elements: knowledge (something that the user only knows), possession (something that the user has) and inherence (something that is only the user as biometric data of the user); this protocol, which is known in jargon as “3D Secure” will be used by the payment service user to identify themselves as such and verify the transaction; in addition, the code authentication must be limited to a certain number of failed attempts and will have a limited duration not exceeding a maximum of five minutes. On the other hand, in remote electronic payment transactions (those initiated via the internet or a device that can be used for remote communication), security will be increased in reinforced authentication by linking the payment transaction to a certain amount and user that must be known both by the latter and by the beneficiary of the transaction. requirements will not apply to any payment transaction, as a catalog of exemptions is collected in which, either for their purpose or at the initiative of the payment user, strong authentication will not be required. Thus, as an example, contactless payments at the point of sale whose amount does not exceed fifty euros are exempt, provided that the total amount of transactions in which strong authentication has not been required does not exceed one hundred and fifty euros or the number of five transactions is exceeded. It is precisely this amount that a payer has to bear as a loss in case of fraud in payments committed by theft, theft or card fraud. In short, although the set of measures consisting of strong authentication must be applied by payment service providers, the truth is that as of September 14, any company that operates on the Internet must implement this system in its payments, either directly by them or through a payment service provider; otherwise, it will be exposed to the fact that the payment is rejected by the payment service provider or by the payer himself.

Hortensio Santos (T&L Attorney)