The European Commission (EC) has extended the deadline by 18 months for the European banks and service providers to implement new Payment Services Directive (PSD2) rules.
PSD2 will become effective from 13 January 2018, except for the security measures outlined in the Regulatory Technical Standards (RTS). Subject to the agreement of the Council and the European Parliament, the RTS is set to be implemented by September 2019.
The new rules do not allow the third party payment services providers to access the customer’s data via ‘screen scraping’, a technique used to access the data through the customer interface with the use of the customer’s security credentials.
As per the new rules, two security features for online or ‘bricks-and-mortar’ shops will be used, instead of current practice of using a single password or details on a credit card in order to eliminate payments fraud.
In a statement, the EU said: “Payment market players need this transition period to upgrade their payments security systems so that they meet the RTS requirements.
“This means that the PSD2 provisions on strong customer authentication and on secure communication, which are directly specified in the RTS, will not apply immediately.”
EU said that the European Parliament and the Council now have three months to object any of the RTS rules before they are placed on the statute book.