Paul Murphy (Dublin South West, Solidarity)
Link to this: Individually | In context | Oireachtas source

332. To ask the Minister for Finance in relation to financial institutions requesting customers credit card details verbally over the phone, if he will implement legislation to ensure companies can no longer request this information verbally, but instead must have a secure alternative provided for customers. [46833/24]

Jack Chambers (Dublin West, Fianna Fail)
Link to this: Individually | In context | Oireachtas source

Payment service providers authorised in Ireland or who provide services in Ireland on a cross-border basis are subject to the requirements of Directive 2015/2366/EU on payment services (PSD2).

PSD2 was transposed into Irish law with effect from 13 January 2018 by the European Union (Payment Services) Regulations 2018 (S.I. No. 6 of 2018) hereafter referred to as the Payment Service Regulations. The Payment Service Regulations set out the industry requirements concerning the execution of payment transactions, which includes remote electronic payments or telephone orders.

Article 98 of PSD2 required the European Banking Authority (EBA) to develop, in close cooperation with the European Central Bank (ECB), regulatory technical standards (RTS) specifying the requirements of strong customer authentication (SCA) as well as the exemptions from the application of SCA and the requirements with which security measures have to comply in order to protect the confidentiality and the integrity of the payment service users’ personalised security credentials.

Under the PSD2 RTSs, payment service providers are permitted not to apply strong customer authentication where the payer initiates a remote electronic payment, including telephone orders, where the transaction is identified by the payment service provider as posing a low level of risk. In receiving credit card details verbally over the phone and in further processing of such details, requirements such as general security requirements, other than SCA rules, GDPR, and any applicable industry standards also need to be considered.

Payment service providers that intend to exempt electronic remote payment transactions from strong customer authentication on the grounds that they pose a low risk must take a number of risk-based factors into account. These include the payment transaction history and previous spending patterns of the individual payment service user, the location of the payer and of the payee at the time of the payment transaction, and the identification of abnormal payment patterns of the payment service user in relation to the user's payment transaction history.

The payment service provider must combine all those risk-based factors into a risk scoring for each individual transaction to determine whether a specific payment should be allowed without strong customer authentication.

PSD2 is a maximum harmonisation directive and, insofar as the directive contains harmonised provisions, member states shall not maintain or introduce provisions other than those laid down in the directive.