In August 2015 the Securrity of Retail Payments Online (SecuRe Pay) came into force as the European Banking Authority (EBA) early adoption of PSD2 strong customer authentication for all future internet payments. SecuRe Pay sets out a number of minimum expectations that must be met.
‘Strong Authentication’ – Mandates multi-factor authentication, but now brings in some interesting caveats, as one or both of these factors:
On 23rd February the EBA published the conclusion of their development of RTS in Strong Customer Authentication.
The EBA draft will now be considered by the European Parliament to confirm that the RTS is in line with the primary legal text of PSD2. This process is expected to last three months, before the start of a 18 month implementation period to enable technical compliance and the development of industry standards to meet requirements. MIDAS will work with European institutions during this 3 month period, and PAS499 expects to have publicly available draft documentation available early in the 18 month implementation period.
Definition of Strong Authentication – SecuRe Pay mandates multi-factor authentication, but in addition it also brings in some interesting caveats as to how these factors are handled, so that one or both of these factors;
SecuRe Pay in addition lays out the following requirements for every issuing bank to conform to based on the use of two or more of the following elements:
In addition for SecuRe Pay, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other.
The purpose of the SecuRe Pay guidelines is to define common minimum requirements for the internet payment services listed below, irrespective of the access device used: