Voice of the Industry

Strong customer identification under PSD2 - how it works in Poland?

Friday 25 October 2019 11:55 CET | Author Mirela Ciobanu | Voice of the industry

It has been over one month since PSD2 came into force and new complexities have been created for merchants across Europe. Today, Kamil Kalenczuk, lawyer from Woloszanski & Partners, shares with The Paypers how PSD2 works in Poland

Strong customer authentication (SCA) required under Payment Services Directive 2 has been implemented into Polish law as part of the amended Act on Payment Services, which entered into force on 20 June 2018. Banks and other financial institutions must implement the new regulations until 14 September 2019 and that has been successfully done.

Who is affected by SCA?

It needs to be noted that application of SCA by payment service provider is obligatory where the payer:

  1. accesses its payment account online;
  2. initiates an electronic payment transaction;
  3. carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

So the catalogue of affected entities is quite broad, while we need to list mainly ecommerce market actors, PSPs, banks, and its clients.

How SCA may be put into practice?

Correct implementation of SCA requires authentication based on the use of at least 2 out of 3 elements categorised as:

Each element must be independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.

Increased customers’ satisfaction and new opportunities for entrepreneurs

Implementation of PSD2 it may be perceived to be difficult from the technologically point of view, but the industry is aware that these efforts will definitely pay off.

In addition to how changes affect consumers’ safety, attention should also be paid to their convenience. SCA affects not only many basic everyday activities, like logging in to online banking, making an ordinary bank transfer, or adding a trusted recipient, yet it also modifies liability rules. The new law may be summed up in two words – increased security.

Change of the rules of making contactless payments seems to be the most significant inconvenience. In the pre-PSD2 environment contactless payments up to 50 PLN (1 EUR ~ 4.3 PLN) could be executed without PIN code. Since 14 September PIN code will have to be entered every 5 transactions. On the other hand, one advantage needs to be noted – Visa and Mastercard already have the Polish National Bank's consent to increase the limit for a single transaction to PLN 100.

Another important (and necessary) measure to protect customers is to lower the limit of liability for unauthorised transactions in case of card theft. Currently it is the equivalent of EUR 50 (previously 150 EUR). The excess over this amount must be returned to the customer by the bank. Interesting opportunity is making online payments instantly without the use of intermediaries. The online shop (upon our consent), will be able to enter our account and order payment for a certain amount - of course, in order to be successful, we will have to authorise it.

Entrepreneurs will certainly appreciate the possibility of connecting bank accounts maintained by different banks. It will also facilitate money management for companies that will be able to aggregate financial data and easily integrate accounting programs with their bank accounts. PSD2 directive is unique in that it allows access to our bank account by the so-called TPP (banks, fintech companies etc.).

And finally, something for people who travel a lot. Thanks to PSD2 you will always know in advance the specific amount that will be blocked by the hotel or car rental. Consent to a specific amount of money means the end of unpleasant surprises. Moreover, transfers in foreign currencies (euro and other Member States' currencies) will be faster.

A few observations from the Polish market

Before the 14 September, the most ‘active’ player on the Polish market in terms of the upcoming changes were (no surprise) banks. It should be noted that the changes were rather evolutionary, as most banks had already allowed customers to use two-factor authentication voluntarily.

While the Financial Supervisory Authority gives the opportunity to individually extend the time for migration of existing authentication methods to fully compliant solutions, this requires the submission of an appropriate 'migration plan' and shall be agreed with the FSA.

Poland has one of the most developed payment industries in Europe. It should be noted that the changes are assessed as positive. Even though banks’ and online shops’ customers have to face some potential inconveniences, it should be recognised that the implementation of SCA went according to plan and industry was definitely ready to adapt its IT systems and procedures to the new requirements. Furthermore, changes were appreciated by the industry. Due to the high awareness of customers, the increase in the level of applied security measures is also positively assessed by most of them.

About Kamil Kaleńczuk

Kamil Kaleńczuk is a lawyer from Wołoszański & Partners Law Firm specializing in providing services to entrepreneurs. Experienced in managing multi-threaded legal projects, on a daily basis he works with clients in the field of new technology and regtech law, corporate governance, as well as labour law.

About WLAW

Wołoszański & Partners Law Firm specialises in rendering legal advisory services for entrepreneurs. Our Law Firm offers comprehensive legal services. In particular Wołoszański & Part specialize in commercial law, civil law and companies law.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: SCA, Poland, Kamil Kaleńczuk, WLAW, ecommerce, merchants, authentication, compliance, PSD2
Categories: Securing Transactions | Digital Identity, Security & Online Fraud
Countries: Poland
This article is part of category

Securing Transactions