Final PSD2 SCA & CSC RTS released

  • SCA (Strong Customer Authentication) limit raised to 30 euro. Cumulative limit 100 euro or 5 consecutive payments
  • new exemption for ‘transaction risk analysis’ – up to 500 euro if the merchants PSP meets stringent fraud rates (e.g. 0.01% for remote card transactions). A sliding scale applies below these levels
  • unattended payment terminals also exempt to avoid unnecessary queues, amongst other things (think road tolls, tube, and parking meter payments)
  • Following CMA example in explicitly stating that screen scraping is no longer permitted (good)
  • AISP calls to access account information appear to have been increased from two to four per day maximum – but no max if account holder is actively requesting it (AISPs will need to think of smart ways of getting their users to actively request the data if it is to be real time). Bilateral arrangements between AISPs and banks can increase that limit if they so desire (a further incentive for bank/fintech partnerships)
  • PSPs to have same levels of availability to account that customers have via their online access
  • Corporate payments subject to same rules and exemptions as retail payments – no special cases (as requested by some industry players)
  • ISO20022 remains the standard for payment messaging under PSD2, although requirements for other security and communication standards (incl HTTPs) have been lifted to allow for technological and business model neutrality
  • Authentication procedures remain within the realm of the account provider




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s