Year-end deadline is set for new online payments security measures

A new deadline to comply by the end of the year has been set.

Version one of the Payment Service Directive established common rules in relation to certain types of electronic payments, such as credit transfers, direct debits, card payments, and mobile and online payments.

Version two, the so-called PSD2, became law in Ireland almost two years ago with the signing by the Finance Minister Paschal O’Dohonoe of the EU Payment Services Regulations law.

This the EU’s attempt to move the banking world forward by making it possible for the EU market in payment services to be opened up to new types of payment services providers that offer a range of new payment services to businesses and consumers.

Effectively, the new directive requires banks to provide third-party providers with access to their customers’ information, through open application system interfaces.

In the process, it will enable these new service providers to compete with banks and other more traditional payment services providers by offering new, regulated payment products and services such as account information aggregation and payment initiation.

Application programming interfaces provide the means for banking and payments to become more open in a regulated way by allowing different systems to talk to each other, but with added security for consumers and businesses.

They are fundamental to the success of companies like Amazon, Google, Uber, and Stripe. But to date payments to these platforms have been unregulated across the EU.

Brexit has created many problems for the Bank of England in implementing any new EU regulations and prompted the bank to also negotiate a delayed implementation of the version two of the Payment Service Directive with the EBA.

In the case of the UK, an 18-month deferral was agreed, with the Bank of England making it clear that it intends to implement the new directive, despite the plan to pull out of the EU by the end of 2020.

As much of the online purchases by Irish consumers and businesses are from UK e-commerce sites, differing credit card security standards in Ireland and the UK could create havoc in the online sales business.

Recent surveys show that besides Ireland and the UK, over 40% of EU banks missed the original deadline.

However, the banks say they are very anxious to introduce the new security arrangements of the directive because three-quarters of all fraud is committed through online payments, but that the e-commerce merchants and consumers must be educated to use the new standards.

There is evidence that many e-commerce sites would not have been able to continue operating with the added security requirements if the main banks had pushed forward immediately.

Some leading online businesses had prepared for the impact of the new directive, but these are more likely to be larger companies with dedicated teams and resources.

A recent survey from Mastercard found that 75% of online merchants in Europe were unaware of the new standards due for implementation last September.

Visa and Mastercard have been actively introducing new security standards to bring users into line with the directive, as they have seen the fraud rate for digital payments soar compared with in-store transactions in Europe.

In parallel, the banks have been working with cardholders offering them improved authentication methods including biometric authentication.

Bank of Ireland have introduced KeyCode as a secure mobile authentication app, used to generate a one-time security password to allow direct access to online services.

Besides such dynamic passwords, consumers can expect to be asked to provide biometrics, including fingerprint, eye, face and voice recognition in the drive to meet the triple security requirements of the payment directive, if they wish to continue to enjoy their online buying experience.

John Whelan is managing partner at The Linkage-Partnership