Skip to main content
News

Changes in online payment services and other electronic payments

9. September, 2019No Comments

Changes in online payment services and other electronic payments

On 14 September 2019, changes introduced by EU Directive 2015/2366 on payment services in the internal market (PSD2) and the Commission Delegated Regulation (EU) 2018/389, will enter into force in Slovenia (and across the EU), as well as those changes established by the Slovenian Payment Services, Services for Issuing Electronic Money and Payment Systems Act (Uradni list RS št. 7/18 in 9/18, ZPlaSSIED). The main goal of these changes is to provide greater security against distance payment abuse, by increasing demands regarding customer identity checks (authentication). The so-called Strong Customer Authentication (also: SCA), is being consistently introduced

The SCA measure demands the authentication of a customer in such a way, that at least two out of three elements are simultaneously proofed: (i) the knowledge of the user (something, that only the user knows; for instance a one-time password, sent to the user’s mobile phone), (ii) the property of the user (something, that is in the user’s exclusive possession, for instance his mobile phone); and (iii) an integral connection to the user (something that the user is, for instance biometric data, such as a fingerprint, one’s face etc.).
The SCA measure will have to be taken in all transactions where both the bank of the payer and the bank of the receiver of payment have their seat in one of the EU Member States, as well as when payers access their payment account via the internet, or order an electronic payment transaction, or carry out any activity via the distance channel, where the risk of payment fraud or deception exists. The legislation also foresees certain exceptions that would leave SCA at the discretion of payment service providers.
In practice, the demand for stronger customer authentication will be apparent predominantly in the fact that it will no longer suffice for an online retailer to merely obtain a customer’s payment card details (and subsequently charge it directly); rather the measure of strong customer authentication will have to be carried out in order for the payment to be effected. Such a form of (at least) two-phase authentication is already in use via the 3D Secure system (e.g. by sending a onetime text code to a payer’s mobile phone). 
Regardless of the fact that in the initial phase supervisory bodies will predominantly monitor how payment service providers have prepared for the changes, we advise all persons receiving distance payments to also adequately prepare for these legislative amendments (if you have not yet done so), which primarily requires the implementation of appropriate IT solutions (for which specialized providers exist, who have tailored their solutions specifically to the demands of SCA), as well as the necessary adjustment of the Terms and Conditions to accommodate those changes.

On the same date (14 September 2019) a new form of payment service will be introduced, called the Payment Initiation Service, which will enable online payment via providers who do not possess the assets of the payer, and the Account Information Service, which will allow individuals to access their bank accounts with different banks via the same application. 

Authors: Ana Kastelec, attorney-at-law 
               Jernej Jeraj, partner