European Union nations are working towards fully implementing the second Payment Services Directive (PSD2). It aims to make customer protection and security more robust with regards to online transactions and it requires changes to the way organisations process transactions. This means that banks and fintech firms should  finetune their internal policies and design PSD2 compliance frameworks. 

PSD2 came into effect in September 2019, replacing the original Payment Services Directive (PSD1). PSD1 was introduced to increase competition in the payments space, opening it up to organisations other than banks. The first directive created an EU-wide level playing field for the rights of consumers. It also obliged payment providers to create faster payments and offer more clarity on fees, exchange rates and rights to refunds, amongst other elements. Finally, PSD1 provided a legal framework for the Single Euro Payments Area (SEPA), which aimed to harmonise payments across the bloc.

The differences between PSD1 and PSD2 include: 

  • Additional security measures for payments
  • Rules for transactions with non-EEA countries
  • Regulations for recent innovations in online payments that did not exist at the time of PSD1

Updated definitions to counter the problem of member states interpreting them in different ways, as occurred after PSD1

What is the Payment Services Directive 2 (PSD2)?

The Payment Services Directive 2 regulates the online payment sector in the EU and the EEA. Even though the UK left the European Union, it is also implementing the directive into national law. The main elements of PSD2 involve: 

1. Strong Customer Authentication

The European Banking Authority (EBA) has created regulatory technical standards (RTS) for strong customer authentication (SCA) for electronic payment transactions. This involves multi-factor verification that the payer is the person they say they are when they make a payment. 

2. Access to accounts

Third parties can access payment accounts if the customer has given express permission for them to do so. This means the directive can regulate the growing community of account aggregators that allow users to see all information from disparate accounts on one dashboard. This includes the open banking initiative

3. Transparency of payments and charges

Payment service providers (PSP) must let users know what charges, if any, will be applied to a transaction.

This means the directive could cause issues for US-based merchants. Uptake of 3D Secure (or 3DS), the security protocol on which strong customer authentication is based, has been slow in the US. Just 17% of US-based transactions in 2017 involved 3DS. Now, if a merchant from the United States processes transactions through an acquirer based in the EEA or the UK, it will need to be able to handle transactions using the latest version of the protocol, 3DS2. 

This could pave the way for greater adoption of two-factor authentication in US transactions in the near future. 

How does PSD2 change the payments market?

PSD2 levels the playing field for the European payments market. The same rules and regulations apply to fintech companies, payment institutions and other third-party payment service providers (TPPs) as they do to banks when processing transactions. The market becomes more integrated, by allowing third parties access to user accounts, amongst other measures. PSD2 also helps the efforts being made towards a single digital market across all member states. 

The idea is that payments in the EU will be deemed more secure and trustworthy, thanks to the added security involved in online transactions. Merchants can be certain that they will get paid, whilst consumers will be sure that their money is moving to the correct place. 

There is also a provision in place to prevent surcharging for the use of consumer credit and debit cards. This applies to both in-store and online purchases. 

Who will be affected?

Organisation

Impact of PSD2

Online businesses

  • Ecommerce businesses will have to ensure their payment provider supports 3DS2 in order to meet the requirements for strong customer authentication. 
  • There are fears that the requirement for two-factor authentication means there will be more friction in the checkout process, potentially increasing abandoned carts. 
  • Online businesses can no longer add surcharges onto purchases for using particular payment solutions. 

Banks

  • Banks and financial institutions must share data through API with third parties, with the express permission of the account holder. Banks must work with TPPs such as:
    • Account Information Service Providers (AISP), which use customer account information to provide various online financial services, such as open banking.
    • Payment Initiation Service Providers (PISP), which authorise payments on behalf of account holders.
  • Payment service providers must demand multi-factor authentication before allowing transactions.
  • They must extend the scope of compliance even if the customer is outside of the EEA. This is called the ‘one leg out’ approach. 

When does PSD2 come into force?

PSD2 came into force on 14th September 2019, but EU member states were allowed until 31st December 2020 to implement SCA frameworks fully. However, many countries are yet to comply with this and are working to their own timelines

In the UK, the rules to meet SCA requirements in online and mobile banking came into force in March 2020, with e-commerce firms allowed until March 2022 to prepare for the regulations. 

PSD2 compliance checklist

Here are the steps that you must take to prepare your business for PSD2 compliance:

✓ Strong Customer Authentication

In order to accept a customer’s request to access their account or to make a purchase, they must provide at least two forms of identification from at least two of the three different elements of SCA. These are: 

Element

Examples

POSSESSION – Something only you have

  • A device, evidenced by a one-time passcode (OTP) sent via SMS, for example
  • A device, evidenced by an e-signature generated by hardware or software token

INHERENCE – Something only you are

  • Fingerprint scan
  • Facial recognition
  • Voice recognition

KNOWLEDGE – Something only you know

  • Password
  • PIN
  • Knowledge-based challenge questions

You should have the processes in place to verify this information and ensure the transaction takes place as intended by a legitimate customer. 

✓ Transaction Risk Analysis

You should have a transaction risk analysis (TRA) system in place that allows low-risk transactions to be exempt from SCA if certain requirements are met.

For effective transaction monitoring, the issuer or acquirer must:

  • Have a TRA solution that is compliant with the Regulatory Technical Standards (RTS) for PSD2
  • Hold fraud reporting capabilities that meet the requirements of local regulators
  • Maintain a fraud rate below the threshold specified by the European Bank regulations

✓ Replication Protection

Fraudsters are constantly looking for ways to replicate authentication material used to verify payments that use SCA. This is a particular issue with transactions using mobile phones and requires tools such as mobile application shielding to prevent cybercriminals from stealing sensitive information. 

✓ Dynamic Linking

Each transaction requires its own authentication code, which is dynamically linked to that particular transfer. The payer should verify the identity of the payee and the monetary amount in question before they send the payment. The authentication code should become invalid if either of the other details are changed. This prevents a criminal from being able to trick the payer into making what they think is a genuine payment, but which is actually sent to the fraudster instead.

✓ Independent Elements

As mobile devices hold many forms of authentication, it is important that the breach of one factor does not compromise the integrity of others, too. To comply with PSD2, there should be some form of application screening to stop this from happening. 

How to prepare for PSD2

There are many ways that banks and other payment providers can prepare for PSD2.

Reassess your goals

PSD2 is opening the door for innovation in the payments space, and banks should look to make the most of the opportunities that it brings. Online and digital payments are the future, so striving to provide the best service and the most useful tools for consumers and merchants should be a priority. Creating the workflow with the least friction possible whilst still complying with SCA requirements is a way to stand out from the crowd. 

Keep customers informed

Although those in the financial world need to understand the ins and outs of PSD2 compliance, it may well have passed customers by. However, customers will notice when changes are made to the way their bank accounts work. They may be concerned about the security implications of open banking, for example. 

So, you should explain the changes to them in clear and precise language. This helps you ensure that they won’t be surprised when the changes come through in their apps and online banking accounts. 

Prepare your IT infrastructure 

Banks and fintech companies will face additional IT pressures to prepare themselves for the full implications of PSD2. Auditing your IT infrastructure will help you ensure it is robust enough to cope and it is essential as you attempt to navigate the compliance process. 

Integrate digital identification

If you don’t already use digital identification when onboarding customers, now is the time to start. ID Proof from Evidos allows customers to prove their identity using electronic identification (e-ID) methods accepted in all the major markets. Customers can easily verify their identity and you are provided with an identification file featuring independent evidence that they are who they say they are. This makes for a better customer experience for them and higher retention for you.

FAQs

Does PSD2 impose reporting or legal requirements?

Payment service providers must monitor transactions to check that their security processes are working and to establish fraud risk factors. In addition, PSPs must review their performance, with the directive stating that this “shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the payment service provider by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.”

Does online customer identity verification matter for PSD2 compliance?

The need for online customer identity verification is already a requirement under the EU’s Anti Money Laundering Directives, ensuring that financial institutions meet their know your customer (KYC) requirements. With customers having to provide express permission for third parties to access their payment accounts, this verification process and PSD2 are intertwined. 

How do I know if I’m required to comply with PSD2 and SCA?

If you are a bank or a third-party provider that works within the EU (specifically the European Economic Area) or the UK, you will need to comply with PSD2 and SCA. Merchants also need to make sure that their processes are PSD2 compliant or risk banks refusing to accept transactions. 

Does PSD2 apply to all transactions?

There are a number of SCA exemptions within the new requirements of PSD2. These include: 

  • Low-value payments
  • Some contactless payments
  • Payments at unattended transport points
  • Recurring payments
  • Payments to trusted beneficiaries
  • Low-risk transactions
  • Transfers between accounts held by the same entity

Conclusion

PSD2 compliance is essential, especially as more member states begin to fully implement it into their national legislation. It will take some work to achieve, but the results of the new regulation will make the payments sector a more secure and trusted space. By understanding your obligations, you can ensure that the transition is smooth for your organisation and your customers. 

The ability to identify customers is at the heart of PSD2 and IDProof is a tool that integrates with your systems easily to do just that. Learn more here

References and Further Reading

Share This