Dominant market topics on the payment roadmap

New European regulation through DORA

The Digital Operational Resilience Act (DORA), unveiled by the EU Commission in December 2022, outlines regulations to safeguard the European financial infrastructure during IT failures. It establishes a uniform framework with rules that should ensure the continuity of payment processes in cases where IT service providers experience disruptions. It aims to effectively manage cybersecurity and IT risks in the financial markets. The regulation is supplemented by technical standards (RTS/IST), which are scheduled for publication in the fourth quarter of 2023 and in 2024. Banks, payment institutions and their IT service providers must have implemented the requirements by mid-January 2025. The rules potentially affecting Netcetera and its customers primarily pertain to risk management, reporting, incident management, and resilience testing.

Secure Payment Confirmation (SPC) is a joint development by EMVCo, FIDO and the World Wide Web Consortium (W3C). It is designed to simplify and accelerate authentication for payment transactions based on FIDO, while boosting conversion rates for issuers and online merchants.  Both issuers and online merchants can leverage SPC-based authentication, and its anticipated release is expected to come soon, given the market’s maturity and the benefits it offers to end-users. 

One notable advantage of SPC is its minimal clicks for card holders, thus simplifying the web payment journey with a simple password or fingerprint scan without switching devices multiple times. Merchants need to configure their online shops to meet customers’ demands, particularly for one-click authentication, while ensuring safe payments.

For issuers, the primary challenge is simplifying the registration process for cardholders and raising awareness on instructions, simplicity, and benefits of using SPC.

PSD is being updated and supplemented with PSR

The European Payment Services Directive (PSD) is in the process of being updated and will then result in PSD3. In addition, a Payment Services Regulation (PSR) has been announced. Both are intended to advance the harmonization of payment markets in the EU.

While PSD3 must be transposed into national law by the EU member states, the PSR will apply directly as a regulation. A proposal for the PSR was published at the end of June 2023. The regulation is expected to be bindingly applicable in 2026 or 2027. To this end, the European Banking Authority (EBA) will then also adapt the technical standards (RTS) for transaction monitoring, outsourcing and transaction risk analysis (TRA).

One important impact will be that online merchants will have to provide more data to issuers for payment transactions, for example, about the device used by the customer. The additional required data and quality should lead to significant risk-scoring improvements.

Finally, if the proposed PSD3/PSR is adopted, there will also be changes to Strong Customer Authentication (SCA): Solutions in the future will need to meet inclusion requirements to enable use by people who are not digitally savvy. The updates aim to make it easier for consumers to transact confidently in the digital landscape, both with merchants and with banks.

Martina Forster: "Netcetera will provide suitable solutions for all these topics in time, and we will continue to maintain an intensive exchange with our customers."