Had an interesting update on PSD2 (the EU Payment Services Directive) from Jeremy King (International Director, PCI Security Standards Council) during the latest quarterly PCI UK Merchants Working Group meeting yesterday.
PSD2 recommendations and standards apply to all payment service providers offering internet payment services.
This includes internet card payments (including virtual cards and card data registered in e-wallets), online credit transfers and ACH/direct debit internet payments. In essence, the evolving 3-D Secure systems (aka Super 3D).
Key aspects relate to the need for an Annual Security and Risk Assessment and also that breach notifications have been made mandatory. In the UK, the FCA will be the authority for PSD2 although the ICO (Information Commissioners Office) may also be involved for breach accountability.
Current plans appear to be that, when the EU Presidency passes from Italy to Latvia in 2015, the pilot implementation for PSD2 will be run in Latvia. A 2 year trial period has been proposed with EU-wide enforcement thereafter in 2017.
However, the European Banking Authority and the ECB have also just announced that they will be using the latest SecuRE Pay (the European Forum for the Security of Retail Payments) recommendations, and have agreed to issue guidelines based on the SecuRe Pay recommendations, which will enter into force in August 2015.
Either way, for European internet payment service providers, greater legislation and governance requirements are coming soon.