European legislators discuss security rules for online payments


European policy makers will come together next week to discuss security obligations and rules applying to new online payment services: Third-party providers. The new rules will determine how much room is left for innovation in the future online payments market.

A new class of payment services

Third-party providers (TPPs) have emerged rapidly throughout the world as an alternative to bank-based solutions. Generally speaking, these service providers are different as they do not keep payment records, and, unlike banks, do not require an additional payment account. TPPs are often less expensive than more traditional card-based methods of payments, and they offer the consumer the option to buy instantly without the use of a card. This new class of payment services is not yet subject to EU-level regulation, and the European policy makers want to change this.

Strong consumer authentication should not harm conversion

The new rules, currently under negotiation between the Council of the EU and the European Parliament, could stifle innovation in the area of digital payments. The rules oblige payments providers to deploy a form of authentication known as “two factor authentication”[1], described in the latest draft of the rules under discussion as the “strong authentication” method. The methods of authentication as currently discussed by policy makers have a huge impact on conversion for merchants, as many consumers will leave the check-out process when payment becomes too complicated.

Room for innovation is needed

Ecommerce Europe believes that more advanced and equally secure methods of payment authentication, based on modern technologies, are already available. These methods can guarantee a high level of security of digital payment transactions without causing friction to the consumer experience when shopping online. The new methods are expected to be more in line with check-out experiences fit for the shopping experience of the future, such as mobile commerce. Moreover, leaving room for new solutions is more suitable for a risk based approach by merchants.

Next steps

The next political meeting of European policy makers is on Thursday 16 April. In informal three-way talks, the European Institutions will continue negotiations towards the next political-level meeting of Tuesday 5 May. After an agreement has been reached on the new rules, they are expected to enter into force in 2017 or 2018.

Ecommerce Europe remains in close dialogue with the policy makers to ensure the voice of the e-commerce sector is heard. Please read our latest press release on the review of the Payment Services Directive 2.

[1] “Two factor authentication” is a process in which the user provides two means of identification, one of which is typically a physical token (e.g. a card) and the other is something memorized (e.g. a password). Therefore, the definition of two-factor authentication is the use of two authentication elements categorized as knowledge, possession and inherence (i.e. something you know, something you have and something you are).