Under the revised Payment Services Directive (2015/2366) (PSD2), the European Banking Authority (EBA) and the European Commission were required to develop and adopt regulatory technical standards on strong customer authentication and common and secure open standards of communication. These regulatory technical standards were passed into EU law as Commission Delegated Regulation (EU) 2018/389 (the RTS), which entered into effect on September 14, 2019.
The RTS has direct effect on payment service providers (PSPs), including card issuers and acquirers, in all EU member states. However, certain EU member states, including the UK, have implemented transitional measures for a phased implementation of the rules in the context of card-based payments for e-commerce transactions.
This post discusses the requirements under the RTS for card issuers and acquirers to authenticate payment service users (PSUs), which is referred to as “strong customer authentication” (SCA).