Ecommerce Europe published today a new White paper on the Delegate Regulation on the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure open standards of Communication (CSC), supplementing the Payments Services Directive (PSD2).
On 13 January 2018, PSD2 entered into application, and on 13 March 2018, the accompanying Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure open standards of Communication (CSC) were published in the Official Journal of the European Union. The RTS on SCA and CSC will come into full effect in September 2019.
The RTS on SCA are instrumental to the application of the PSD2 as they define specific security measures that were only addressed through general principles in PSD2. It is therefore vitally important that remaining questions be answered, and provisions clarified in a harmonized fashion at European level.
The position of Ecommerce Europe has been constant throughout the drafting and adoption process of the RTS on SCA. After the publication of the European Banking Authority’s (EBA) Opinion on the implementation of the RTS earlier this year and considering that some National Competent Authorities (NCAs) are still interpreting the rules, Ecommerce Europe wishes to reiterate its stance. While we fully recognize the need for customer protection in online payments, we continue to advocate for additional clarifications and a balanced interpretation of the RTS on SCA by the relevant NCAs.
Ecommerce Europe believes that a restrictive and uncoordinated interpretation of the RTS on SCA could have harmful effects on online merchants in Europe. It is therefore important that the interpretation of the RTS on SCA balances security concerns with the customer experience.
The impact of the RTS on SCA will also greatly depend on authentication alternatives and innovation as well as cooperation between stakeholders to find common solutions.