Payments: PSD2 authentication delay means pain but long-term gain
The delay in the introduction of strong customer authentication under the second EU Payments Services Directive has not been universally welcomed, but it represents a valuable opportunity to make consumers more security-aware.
The Central Bank of Ireland and the UK's Financial Conduct Authority (FCA) have delayed the implementation of strong customer authentication (SCA) over concerns that banks, payment service providers and merchants were unprepared for the change.
The original deadline for implementing SCA was 14 September 2019, but the Central Bank of Ireland says it will provide additional time to implement the necessary reforms, stating that it has been engaging with the payment industry "to develop a migration plan to implement SCA for ecommerce transactions as soon as possible after this date".
The FCA has also agreed to delay implementation, announcing that firms in the UK will have an additional 18 months to make all the necessary changes and undertake the required testing.
The second EU Payment Services Directive (PSD2) requires that SCA be applied to all electronic payments within the European Economic Area (EEA) through the use of two independent sources of validation, or two-factor authentication.
This is a combination of knowledge, possession and inherence: something that the payee knows, such as a PIN; something that they have, such as a card or a phone; and something intrinsic to them, such as fingerprints.