PSD2: transitional period for strong customer authentication for online card payments in Italy

In accordance with the decisions taken at European level, the Bank of Italy has decided to provide the Italian financial industry additional time to complete the adjustments required by law concerning the security of card-based online payments.

The second Payment Services Directive (PSD2) and the related regulatory technical standards set 14 September 2019 as the deadline for the mandatory adoption by banks and other payment service providers of strong customer authentication systems, based on the use of at least two factors (e.g. password, biometric identification, smartphone certificate, and so on), so that customers may access their online accounts and carry out online payments in complete security.

Given the complexity of the adjustments, which are especially significant for card-based online payments, and given the need for the active involvement of customers, on 21 June 2019 the European Banking Authority (EBA) afforded the competent authorities the option of providing additional time, beyond the 14 September deadline, to allow all interested actors to complete the measures and to adopt the new authentication instruments , exclusively in relation to the above mentioned payment category.

The Bank of Italy, having consulted with the main entities affected by this requirement – banks, card circuits, service centres, consumer and merchant associations – including within the context of meetings with the Italian Payments Committee, has deemed that a gradual transition may greatly mitigate the risks of service interruptions in card-based online payments, avoiding any disruption to transactions in vital economic sectors such as online commerce.

The Bank of Italy has accordingly decided to provide a limited extension to the deadline, based on the final deadline to be set by the EBA and subsequently communicated to the market. The intermediaries wishing to make use of the extension must submit a detailed migration plan which includes communication and customer-readiness measures, in relation to both merchants and cardholders.

During the migration period, payments carried out without strong customer authentication may continue to be sent and accepted according to the current procedures, keeping in mind however the immediate applicability of the rules on applicable charges and of the responsibilities, in the event of fraud, for payments carried out without the security requirements mandated by law.