New changes in payments

New changes in payments

October 27, 2019

The provisions of Delegated Regulation (EU) 2018/389 supplementing EU Directive no. 2366/2015 of the European Parliament and of the Council (PSD2) on "regulatory technical standards for strict client authentication and open, common and secure communication standards (EU Regulation)" entered into force on September 14th aimed at an increased degree of security regarding online payments, at merchants or ATMs.

The Regulation aims to establish strict requirements that must be met by payment service providers in order to apply a more rigorous customer authentication procedure, in accordance with article 97 of Directive (EU) 2015/2366, but also with the purpose of exempting the application of customer requirements security regarding the strict authentication by reference to the risk level, frequency, value and method of making the payment.

Most of the time, in order to make a payment, it provides for strict authentication rules for the security of the transactions that the payers undertake both in the online environment and physically directly to the merchant through the bank card. This security of the authentication codes is achieved by different methods such as generating and validating unique passwords, digital signatures or other validity statements that use cryptographic keys or cryptographic materials stored in the authentication elements, as long as the security requirements are met, according to the preamble to the EU Regulation.

Regarding the applicability of the exceptional situations of the payments made with the strict authentication of the clients we can consider the contactless payments made at the point of sale. In these situations, subject to the application of the requirements set out in Article 2, which regulates general authentication requirements, strict payment authentication of the payer will no longer be required if the contactless payment electronic transaction is not more than 50 Euro, referring us to the individual value of the payment, and the cumulative value of such payments, previously made from the date of the last application of strict authentication, does not exceed 150 Euro.

However, as stipulated by European law the maximum number of operations involving contactless payment cannot exceed 5 consecutive executions. The regulation does not stipulate expressly the amount of individual payments made in the second situation, but in relation to the first modality it is deduced that all 5 executions can have a value of 150 Euro or less.

Also, the EU Regulation provides for the possibility of remote payments (online) under the same conditions as those presented above, without the need for strict client authentication, the difference being the amount of the individual or cumulative payment. Thus, in the case of individual payments, the amount should not exceed 30 Euro, and the cumulative value of the actual remote operations previously initiated since the last application of the strict authentication rules, should not exceed 100 Euro.

Significant changes also occur regarding online payment on sites that use the 3D Secure service. This new modality assumes that besides the 3D Secure password, which the lending institution individually transmits to the payer through the mobile service, there will be a need for a four-digit static code that is specific to each beneficiary of the payment services, this representing the last digits of the personal numeric code (CNP) or of the passport if the payer does not have a CNP.