European consumers will be able to reap the full benefits of paying online for goods and services, thanks to new rules that will it make it cheaper, easier and safer to make electronic payments. The revised Payment Services Directive (PSD2), which will apply as of 13 January 2018, aims to modernize Europe's payment services to the benefit of both consumers and businesses, so as to keep pace with this rapidly evolving market.
Vice President responsible for Financial Stability, Financial Services and Capital Markets Union Valdis Dombrovskis said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. With PSD2 becoming applicable, we are banning surcharges for consumer debit and credit card payments. This could save more than €550 million per year for EU consumers. Consumers will also be better protected when they make payments."
The new rules will be applicable as of 13 January 2018 through provisions that member states have introduced in their national laws in compliance with the EU legislation. They will:
- Prohibit surcharging, which are additional charges for payments with consumer credit or debit cards, both in shops or online;
- open the EU payment market to companies offering payment services, based on them gaining access to information about the payment account;
- introduce strict security requirements for electronic payments and for the protection of consumers' financial data, and;
- enhance consumers' rights in numerous areas.
These include reducing the liability for non-authorized payments and introducing an unconditional ("no questions asked") refund right for direct debits in euro.
The revised Payment Services Directive (PSD2, Directive 2015/2366/EU), proposed by the European Commission in July 2013 and agreed by co-legislators in 2015, is the latest in a series of laws adopted by the EU in order to provide for modern, efficient and cheap payment services and to enhance protection for European consumers and businesses. It incorporates and repeals Directive 2007/64/EC (Payment Services Directive, or PSD1), which provided the legal basis for the creation of an EU-wide single market for payment services. The revised Directive adapts the rules to cater for emerging and innovative payment services, including internet and mobile payments, while at the same time ensuring a more secure environment for consumers.
Payment Services Directive: Frequently asked questions
1. What is the Payment Services Directive? The first Payment Services Directive (PSD1) was adopted in 2007. This legislation provides the legal foundation for an EU single market for payments, to establish safer and more innovative payment services across the EU. The objective was to make cross-border payments as easy, efficient and secure as 'national' payments within a member state. Since 2007, this Directive has brought substantial benefits to the European economy, easing access for new market entrants and payment institutions, and so offering more competition and choice to consumers. It offered economies of scale and helped the Single Euro Payments Area (SEPA) in practice. The first PSD has meant more transparency and information for consumers, for example about execution time and fees; and it has cut execution times, strengthened refund rights, and clarified the liability of consumers and payment institutions. A very tangible benefit is that payments are now easier and quicker throughout the whole EU: payments are usually credited to the payment receiver's account within the next day.
2. Why did the Commission propose to review this Directive? The Commission proposed to review PSD1 to modernize it to take account of new types of payment services, such as payment initiation services (see question 18). These service providers have brought innovation and competition, providing more, and often cheaper, alternatives for internet payments; but were previously unregulated. Bringing them within the scope of the PSD has boosted transparency, innovation and security in the single market and created a level playing field between different payment service providers. At the same time, certain rules set out in the first PSD, such as the exemptions of a number of payment-related activities from the scope of the Directive (payment services provided within a “ limited network” or through mobile phones or other IT devices) have been transposed or applied by member states in different ways, leading to regulatory arbitrage and legal uncertainty. In a number of areas, it has also led to impaired consumer protection and competitive distortions. Updated definitions ensure a level playing field between different providers and address in a more efficient way the consumer protection needed in the context of payments. The Commission proposed to revise the Payment Services Directive (PSD1) in July 2013. The proposal was part of a package of legislative measures on payment services, which included a proposal for a Regulation on interchange fees for card-based payment transactions (the Interchange Fee Regulation). The Interchange Fee Regulation 2015/751 entered into force on 9 June 2015.
3. What are the main objectives of the revised Directive? The revised Payment Services Directive (PSD2) updates and complements the EU rules put in place by the Payment Services Directive (PSD1, 2007/64/EC). Its main objectives are to: - Contribute to a more integrated and efficient European payments market - Improve the level playing field for payment service providers (including new players) - Make payments safer and more secure - Protect consumers
4. What are the main differences between PSD1 and PSD2? PSD2 widens the scope of PSD1 by covering new services and players as well as by extending the scope of existing services (payment instruments issued by payment service providers that do not manage the account of the payment service user), enabling their access to payment accounts. PSD2 also updates the telecom exemption by limiting it mainly to micro-payments for digital services (see question 9), and includes transactions with third countries when only one of the payment service providers is located within the EU ("one-leg transactions"). It also enhances cooperation and information exchange between authorities in the context of authorization and supervision of payment institutions. The European Banking Authority (EBA) will develop a central register of authorized and registered payment institutions. To make electronic payments safer and more secure, PSD2 introduces enhanced security measures to be implemented by all payment service providers, including banks. In particular, PSD2 requires payment service providers to apply strong customer authentication (SCA) for electronic payment transactions as a general rule. To that end, the Commission adopted rules that spell out how strong customer authentication (SCA) is to be applied.
5. What are the benefits for consumers under this Directive? A. Economic benefits The new EU rules should help stimulate competition in the electronic payments market, by providing the necessary legal certainty for companies to enter or continue in the market. This would then allow consumers to benefit from more and better choices between different types of payment services and service providers. During the past years, new players have emerged in the area of internet payments offering consumers the possibility to pay instantly for their internet bookings or online shopping without the need for a credit card (around 60% of the EU population does not have a credit card). These services establish a payment link between the payer and the online merchant via the payer's online banking module. These innovative and low cost payment solutions are called “payment initiation services” and are already offered in a number of member states (e.g. Sofort in Germany, IDeal in the Netherlands, Trustly in Sweden). Until now, these new providers were not regulated at EU level. The new Directive will cover these new payment providers (“payment initiation services”), addressing issues which may arise with respect to confidentiality, liability or security of such transactions. Furthermore, PSD2 will help lower charges for consumers and ban "surcharging" for card payments in the vast majority of cases (including all popular consumer debit and credit cards), both online and in shops. The practice of surcharging is common in some member states, notably for online payments and specific sectors, such as the travel and hospitality industry. In all cases where card charges imposed on merchants are capped, in accordance with the complementary regulation on interchange fees for card-based payment transactions (the Interchange Fee Regulation), merchants will no longer be allowed to surcharge consumers for using their payment card. This will apply to domestic as well as cross-border payments. In practice, the prohibition of surcharging will cover some 95% of all card payments in the EU and consumers would be able to save more than €550 million annually. The new rules will contribute to a better consumer experience when paying with a card throughout the European Union. Consumers will be better protected against fraud and other abuses and payment incidents, with improved security measures in place. As regards losses that consumers may face, the new rules streamline and further harmonize the liability rules in case of unauthorized transactions, ensuring enhanced protection of the legitimate interests of payment users. Except in cases of fraud or gross negligence by the payer, the maximum amount a payer could, under any circumstances, be obliged to pay in the case of an unauthorized payment transaction will decrease from €150 to €50. B. Consumers' rights PSD1 and PSD2 protect consumer rights in the event of unauthorized debits from an account under certain conditions. A direct debit is a payment that is not initiated by the payer, but by the payee on the basis of consent of the payer to the payee. It is based on the following concept: "I request money from someone else with their prior approval and credit it to myself". The payer and the biller must each hold an account with a payment service provider and the transfer of funds (money) takes place between the payer's bank and the biller's bank. However, since the biller can collect funds from a payer's account, provided that a mandate has been granted by the payer to the biller, the payer should also have a right to get the money refunded. Member states have applied different rules with regard to this issue. Under PSD1, payers had the right to a refund from their payment service provider in case of a direct debit from their account, but only under certain conditions. In order to enhance consumer protection and promote legal certainty further, PSD2 provides a legislative basis for an unconditional refund right in case of a SEPA direct debit during an 8 week period from the date the funds are debited form the account. The right to a refund after the payee has initiated the payment still allows the payer to remain in control of his payment. In such cases, payers can request a refund even in the case of a disputed payment transaction. As far as the direct debit schemes for non-euro payments are concerned, where they offer the protection as set out under PSD1, they can continue to function as they do today. However, member states may require that for such direct debit schemes refund rights are offered that are more advantageous to payers. Consumers will also be better protected when the transaction amount is not known in advance. This situation can occur in the case of car rentals, hotel bookings, or at petrol stations. The payee will only be allowed to block funds on the account of the payer if the payer has approved the exact amount that can be blocked. The payer's bank shall immediately release the blocked funds after having received the information about the exact amount and at the latest after having received the payment order. Furthermore, the new Directive will increase consumer rights when sending transfers and money remittances outside the EU or paying in non-EU currencies. PSD1 only addresses transfers inside the EU and is limited to the currencies of the member states. PSD2 will extend the application of PSD1 rules on transparency to "one-leg transactions", hence covering payment transactions to persons outside the EU as regards the “EU part” of the transaction. This should contribute to better information of money remitters, and lower the cost of money remittances as a result of higher transparency on the market. Finally, the new Directive will oblige member states to designate competent authorities to handle complaints of payment service users and other interested parties, such as consumer associations, concerning an alleged infringement of the directive. Payment service providers that are covered by the Directive on their side should put in place a complaints procedure for consumers that they can use before seeking out-of-court redress or before launching court proceedings. The new rules will oblige payment service providers to answer in written form to any complaint within 15 business days. C. Payment security The new rules also provide for a high level of payment security. This is a key issue for many payment users and notably consumers when paying via the internet. All payment service providers, including banks, payment institutions or third party providers (TPPs), will need to prove that they have certain security measures in place ensuring safe and secure payments. The payment service provider will have to carry out an assessment of the operational and security risks at stake and the measures taken on a yearly basis.
6. How will PSD2 benefit potential market entrants and contribute to the Single Market? - Market entrants Since the adoption of PSD1, new services emerged in the area of internet payments, where so called third party providers (TPPs) offer specific payment solutions or services to customers. For example, there are services which collect and consolidate information on the different bank accounts of a consumer in a single place ("account information services - AIS"). These services will typically allow consumers to have a global view on their financial situation and to analyse their spending patterns, expenses, financial needs in a user-friendly manner. Other third party providers facilitate the use of online banking to make internet payments (so-called "payment initiation services - PIS"). They help to initiate a payment from the user account to the merchant account by creating a software “bridge” between these accounts, fill-in the information necessary for a transfer (amount of the transaction, account number, message) and inform the merchant once the transaction has been initiated. Until now, entering the market of payments was complicated for TPPs, as many barriers were preventing them from offering their solutions on a large scale and in different member states. With these barriers removed, more competition is expected with new players entering new markets and offering cheaper solutions for payments to more and more consumers throughout Europe. The TPPs will have to follow the same rules as the traditional payment service providers: registration, licensing and supervision by the competent authorities. In addition, new security requirements included in the text of the PSD2 will oblige all payment service providers to step up the security around online payments. - Single Market PSD2 will allow consumers and merchants to benefit fully from the internal market, particularly in terms of e-commerce. The Directive aims to help develop the EU market for electronic payments, which will enable consumers, retailers and other market players to enjoy the full benefits of the EU internal market, in line with the digital single market. Such further integration is becoming increasingly important as the world moves beyond bricks-and-mortar trade towards a digital economy.
7.What is the scope of the Directive? The Directive applies to payment services in the European Union. The Directive focuses on electronic payments, which are more cost-efficient than cash and which also stimulate consumption and economic growth. There are a number of payment means (including cash and cheques) not falling within the scope of this Directive.
8. Will the new rules also apply to international payments? While PSD1 only applies to intra-EU payments, PSD2 extends a number of obligations, notably information obligations, to payments to and from third countries, where one of the payment service providers is located in the European Union. The extension of the scope has implications primarily for the banks and other payment service providers that are located in the EU. In practice, this means that these financial services providers shall provide information and transparency on the costs and conditions of these international payments, at least in respect of their part of the transaction. They can also be held liable for their part of the payment transaction if something goes wrong that is attributable to them. Moreover, the extension in scope will also have as an effect that the same rules will apply to payments that are made in a currency that is not denominated in Euro or another member state's currency. This will be an important improvement for consumer protection in particular in the area of global money remittances.
9. To what extent will payments through telecom operators be covered by this Directive? Under PSD1, payments made through a telecom operator were not covered, where the telecom operator acts as an intermediary between the consumer and the payment service provider (by operator billing or direct to phone-bill purchases). Under PSD2, the purchase of physical goods and services through a telecom operator now falls within the scope of the Directive. Under the new rules, the exclusion for payments through telecom operators has also been further specified and narrowed down. The exclusion now covers only payments made through telecom operators for the purchase of digital services such as music and digital newspapers that are downloaded on a digital device or of electronic tickets or donations to charities. In order to avoid the risk of exposure to substantial financial risks to payers, only payments under a certain threshold are excluded (€50 per transaction; €300 per billing month). Telecom operators that engage in such an activity shall notify to the competent authorities, on an annual basis, that they comply with these limits. The activity will also be listed in the public registers.
10. Will there be changes in the authorization requirements for payment institutions? Under PSD2, payment institutions are required to fulfil a variety of requirements in order to obtain an authorization to provide payment services. These requirements are largely the same as under PSD1. The main changes relate to the enhanced levels of payment security under PSD2. Entities that wish to be authorized as a payment institution shall provide with their application a security policy document, as well as a description of security incident management procedure, contingency procedures etc. Capital requirements which aim to ensure financial stability have largely remained the same under PSD2 as they were set out in PSD1. Specific capital requirements have been defined for third party service providers in relation to their respective activities and the risks these represent. Third party service providers are not subject to own fund requirements. However, they need to hold a professional indemnity insurance covering the territories in which they offer services.
11. Will the rules change for waived payment institutions? Under PSD1, entities with an average volume of monthly payment transactions below €3 million can benefit from a lighter authorization regime, if their member state of establishment makes use of that option. This so-called "waiver" regime will be maintained under PSD2 as an option for member states, albeit with this difference, that member states making use of the option can decide to define a lower threshold under which such "waivers" can be granted. Payment institutions that have obtained a waiver under PSD1 may need to re-assess their status under PSD2, depending on whether the member state that has made use of the option under PSD1 decides to continue to make use of the option and/or to lower the threshold under which the waiver is granted.
12. What are the changes for limited networks under this Directive? As under PSD1, payment transactions based on a specific payment instrument within a limited network - for instance a chain of department stores or a network of petrol stations under the same brand offering a dedicated payment instrument to their customers - are outside the scope of the Directive. In order to ensure a more coherent supervision of such networks across the Union, the Directive provides that networks, when their activities reach a certain value, shall notify these activities to competent authorities, so that these can assess whether or not the network shall apply for a licence as a payment institution. This is to ensure that the financial risks for consumers are minimized.
13. Will this Directive strengthen the supervision of payment institutions that provide services cross-border? As a main principle, payment institutions are supervised by the member state where they are authorized to provide the defined payment services (the so-called 'home member state'). When a payment institution intends to provide payment services in another member state, the supervision of these activities in principle remains with the home member state. However, if the payment institution provides these services through established agents or branches in the other member state (the host member state), that member state can act in case of an infringement or a suspected infringement of EU rules under the Directive. In this respect, the supervision under PSD2 has not changed. However, to reinforce the investigative and supervisory powers of the host member state, PSD2 has introduced a more detailed passporting procedure. This procedure will ensure better cooperation and information exchange between the national competent authorities. Furthermore, the host member state can ask payment institutions operating with agents and branches in its territory to regularly report on their activities. To that end, the payment institution can be requested to set up a central contact point in the host territory (see question 15 below). In emergency situations, requiring immediate action, the host member state is allowed to take precautionary measures with regard to the payment institution concerned, in parallel to the host's duties of cooperation with the home member state to find a remedy. The European Banking Authority has been mandated to draft regulatory technical standards on the co-operation and information exchange between authorities.
14. Is there a need to set up a central contact point in a member state if they are providing payments services cross border? PSD2 contains an option for member states to require a payment institution that provides cross-border payment services to set up a central contact point if it operates with agents or branches that are established in their territory. The central contact point shall ensure adequate communication and information with regard to the activities of the payment institution in the host territory. The European Banking Authority is mandated to draft regulatory technical standards on the criteria under which a central contact point can be requested, and the functions of such contact point. The fourth Anti-Money Laundering Directive (Directive EU/2015/849) also contains an option for Member States to request a central contact point in its territory. The set-up of such a contact point, however, can only be requested for the purpose of ensuring compliance with the money laundering and anti-terrorist financing rules. This provision should be distinguished from the member states option under PSD2, which can only be invoked for the purpose of adequate communication and information by the payment institution on compliance with the rules under PSD2.
15. Will payment institutions be able to access accounts maintained by credit institutions? For payment institutions, access to a payment account maintained by a credit institution is vital for the operation of their business. PSD2 provides specifically that member states will have to ensure that credit institutions do not block or hinder access to payment accounts and that payment institutions have access to credit institutions' payment accounts services in an objective, non-discriminatory and proportionate manner. This aspect is very relevant for money remittance services as many of them have lost access to the banking system in the recent years.
16. What is strong customer authentication? The PSD2 text introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. This stricter approach on security should contribute to reducing the risk of fraud for all new and more traditional means of payment, especially online payments, and to protecting the confidentiality of the user's financial data (including personal data). Payment service providers will be obliged to apply so-called strong customer authentication (SCA) when a payer initiates an electronic payment transaction. Strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction (more specifically, whether the use of a payment instrument is authorized). Strong customer authentication is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. the use of a fingerprint or voice recognition) to validate the user or the transaction. These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data. On 27 November 2017, the Commission adopted rules that spell out how strong customer authentication (SCA) is to be applied." For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimizing the risks in case of mistakes or fraudulent attacks.
17. Will all payments have to apply strong customer authentication? Are exemptions possible? As a matter of principle, all electronic means of payment are subject to strong customer authentication. However, exemptions to the principle of strong customer authentication (SCA) are possible, as it is not always necessary and convenient to request the same level of security from all payment transactions. These exemptions have been defined by the European Banking Authority (EBA) and adopted by the European Commission, taking account of the risk involved, the value of transactions and the channels used for the payment. Such exemptions include low value payments at the point of sale (to facilitate the use of mobile and contactless payments) and also for remote (online) transactions. The exemptions from strong customer authentication seek to avoid disrupting the ways consumers, merchants and payment service providers operate today. They are also based on the fact that there are alternative authentication mechanisms that are equally safe and secure.
18. What are payment initiation services? The PSD2 opens the EU payment market for companies offering consumer or business-oriented payment services based on the access to the information from the payment account – so called "payment initiation services providers" and "account information services providers". Payment initiation services providers typically help consumers to make online credit transfers and inform the merchant immediately of the payment initiation, allowing for the immediate dispatch of goods or immediate access to services purchased online. For online payments, they constitute a true alternative to credit card payments as they offer an easily accessible payment service, as the consumer only needs to possess an online payment account.
19. What are account information services? Account information services allow consumers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different payment accounts they may have with one or more banks and to categorize their spending according to different typologies (food, energy, rent, leisure, etc.), thus helping them with budgeting and financial planning.
20. What is payment instrument issuing? The issuing of a payment instrument is one of the payment services that falls within the scope of PSD1 and of PSD2. Any authorized payment service provider, be it a bank or a payment institution, can issue payment instruments. Payment instruments do not only cover payment cards, such as debit cards and credit cards, but any personalized device or set of rules agreed between the issuer and the user used to initiate a payment. PSD2 allows payment service providers that do not manage the account of the payment service user to issue card-based payment instruments to that account and to execute card-based payments from that account. Such “third party” payment service provider – which could be a bank not servicing the account of the payer – will be able, after consent of the user, to receive from the financial institution where the account is held a confirmation (a yes/no answer) as to whether there are sufficient funds on the account for the payment to be made.
21. What opportunities will these providers offer to consumers and enterprises? The "payment initiation services providers" allow consumers that shop online to pay for their purchases through a simple credit transfer from their payment account. In some countries, these services are already in use (55% of internet payments in the Netherlands). By providing a proper legal framework in which these services can be offered, PSD2 opens possibilities for providers of these services to operate across the EU and to compete on an equal basis with other regulated players in the market, such as banks. Account information service providers already exist today and offer tools that allow companies and consumers to have a consolidated view of their financial situation. Nowadays, these services are not regulated, at least at EU level. PSD2 will provide for a common framework with clear conditions under which these providers can access the financial information on behalf of their clients. This will allow these services providers to operate without hindrance and to reach a broader audience which normally does not make use of such account managing services. Today, account holders are not obliged to use payment instruments offered by the same payment service provider with which they hold their account. For example, credit cards are not only provided by the bank where the user holds its account, but also by third party providers. This does not work, however, in the case of debit cards, where payment service providers have found it very difficult to offer such payment service in connection to accounts not held by them. The source of these difficulties is the fact that these third providers do not have access to feedback information on the availability of funds on the account held by other financial institution. PSD2 lifts this obstacle, which is likely to see consumers benefit from competitive card services offered by third party providers.
22. Will these providers be subject to the same rules as other payment institutions i.e. authorisation and security? The PSD2 requires all that payment services providers be authorized and regulated. The inclusion of new payment providers within the scope of PSD2 will allow competent authorities to better monitor and supervise the activities of these new players. PSD2 also fully clarifies the liability issues between bank servicing the account of the payer and the payment initiation service. When a payment initiation service provider is used by a payer to initiate a payment, it will be liable for any payment incidents within its sphere. In particular, the bank of the payer shall not be held liable for payment incidents that can be traced back to the initiator.
23. To what extent will these providers have access to information on my payment or bank account? These new providers will only be allowed to provide the services the payer decides to make use of. In order to provide these services they will not have full access to the account of the payer. Those offering payment instruments or payment initiation services will only be able to receive information from the payer's bank on the availability of funds (a yes/no answer) on the account before initiating the payment (with the explicit consent of the payer). Account information service providers will receive the information explicitly agreed by the payer and only to the extent they are necessary for the service provided to the payer. The security credentials of the payment service user shall not be accessible to other third parties and will have to be transmitted through safe and efficient channels to the bank servicing the account. A dynamically generated code only valid for that specific transaction (linked to the amount and recipient) will have to be used in the authentication process.
24. Is there a different date of application for the security requirements? Without prejudice to the date of application of PSD2 (13 January 2018), a different date of application is foreseen for the new security measures - strong customer authentication and standards for secure communication - introduced in the PSD2. Their entry into force is subject to the adoption of the regulatory technical standards which have been developed by the European Banking Authority and adopted by the Commission. As a result, the new security measures shall apply 18 months after the publication in the Official Journal of these standards, currently under objection period of the European Parliament and Council.
25. Will authorizations under PSD1 keep their validity under this Directive? The text of PSD2 foresees transitional provisions for payment institutions that are already authorised to provide services under PSD1. These institutions are allowed to continue providing payment services for 30 months (authorised institutions) or 36 months (“ small” institutions that benefited from the waiver under Article 26 of PSD) after the entry into force of PSD2. In order to provide payment services beyond that transitional period, the existing payment institutions would need to submit all relevant information required under PSD2 to the competent authorities that have granted them their existing licenses and fully comply with the relevant PSD2 requirements. In addition, member states may provide for the existing payment institutions to be automatically granted PSD2 authorisation if the competent authority already possesses evidence that the payment institution complies with PSD2 requirements. Competent authorities shall make such an assessment on a case-by-case basis. They should inform the payment institution concerned before the authorization is granted. MEMO/15/5793
26.Can existing providers of payment initiation and account information services continue to provide their services after the date of application of PSD2? As of when will they need to apply for a licence? PSD2 provisions ensure that providers of payment initiation services (PIS) and account information services (AIS) that are already established in the market can continue to perform their activities. More specifically, PSD2 states that member states shall allow existing PIS or AIS providers in their territories to operate in accordance with the currently applicable regulatory framework. As the provision of PIS and AIS is a new payment service recognised in PSD2, existing and new providers of such services would need to apply for authorisation under the PSD2 regime from the date of application of the new Directive. Furthermore, because the new security measures of PSD2 regarding strong customer authentication and standards for secure communication will become applicable later than other provisions (see answer 24), PIS and AIS providers that seek authorization under PSD2 are not required to submit proof of compliance with these security requirements until that later date. As provision of both types of services is dependent on the authentication procedures provided by banks, upgrades to the security requirements and procedures applied by banks need to be fully implemented by banks before the application of these measures is possible for the PIS and AIS. In case banks do not comply on time with the security requirements and standards for secure communication, they cannot use this noncompliance to hinder or obstruct the use of PIS and AIS. The delayed application of the security requirements should not create any difficulties for the provision of existing payment-related services by market players that have been operating in member states before 13 January 2016. Article 115(5) of PSD2 ensures the continuity of these services. These payment services providers should still apply for the relevant authorization under PSD2 to their national authority as soon as possible.
27. What is the role of the Internet Security Guidelines, published by the European Banking Authority in 2014, during the transitional period? The EBA guidelines on the security of internet payments address the issue of security of internet payments as an interim solution, until the application of the PSD2 and its more comprehensive security requirements. When the EBA Guidelines are applied by the competent authorities of the member states, in the transitional period, they must be interpreted in so far as there is any scope to do so, in line with the PSD2's content and objectives. As a consequence, compliance with the EBA Guidelines on the security of internet payments should not be used to justify obstructing or blocking the use of PIS or AIS. Pending the full application of the PSD2 rules, including the rules on the security of payments, and in accordance with the PSD2 text: “Member states, the Commission, the European Central Bank and the European Banking Authority, should guarantee fair competition in that market avoiding unjustifiable discrimination against any existing player on the market”.