On November 16, 2015, the Council of the European Union passed PSD2. Member states had several years to incorporate the directive into their national laws and regulations. The implementation period of the "Payment Service Directive 2" ends on September 14, 2019. The purpose of the directive is to regulate and secure payment transactions across the EU, in particular through the use of strong customer authentication. There is currently some uncertainty regarding the terms PSD2, 2FA, and SCA in the field of online trading. Reason enough to shed light on some of those pesky acronyms.
Some background info
In recent years numerous new payment methods and providers of payment services have established themselves on the market. Generally speaking, modern state-of-the-art payment services are not being offered by traditional banks, which are already subject to extensive state regulation, but rather by so-called FinTechs (finance startups). To regulate providers of new and innovative payment services, a corresponding directive has been created at the EU level. The "First Payment Services Directive" entered into effect in 2007 and was subsequently replaced. PSD2 now strives for even more rigorous consumer protection, in particular concerning the security of payments. Electronic payments are to become safer and more transparent. At least on paper, it's the legislations goal to encourage healthy competition and to lower entry barriers for up and coming payment service providers. The PSD2 has been valid since January 2018. From that point forward, online merchants in the EU were no longer allowed to impose surcharges for payments by bank transfer, direct debit, or credit card. But there's more.
Strong customer authentication at the heart of PSD2
PSD2 sets new technical standards for mandatory strong customer authentication. For this purpose, the Delegated Regulation (EU) 2018/389 on Strong Customer Authentication and Secure Open Standards for Communication was published in the Official Journal of the European Union early last year. This regulation will become applicable shortly, and SCA must, therefore, be implemented by mid-September of this year.
Mandatory strong customer authentication aims to cut down and contain most fraud cases in electronic transactions by allowing payments to be authorized only in a secure way. Before the payment can be triggered, a multi-level verification process must first be performed to ensure the eligibility of the payment initiation. SCA assures that the person who pretends to be an authorized agent at the start of the payment transaction is indeed entitled. Two-step verification is becoming standard practice.
Two-factor authentication (2FA)
What's new is that a mandatory second level is added to customer authentication when it comes to triggering payments by the customer. The legislator provides for three categories from which the verification may originate:
According to Article 4 of the PSD2, Strong Customer Authentication occurs as soon as the verification process requires at least two different elements. 2FA significantly reduces the risk of abuse by third parties who have illegally acquired credit card info or the actual physical card. Likewise, it would become exceedingly difficult to exploit a stranger's PayPal account once the login info has been stolen.
It's the payment provider's responsibility
Good news for online retailers: PSD2's requirements are addressed to providers of payment services such as credit card companies, banks, Paypal, etc. However, online retailers should make sure that they use only "PSD2-compatible" payment providers by the end of 2019. Any recurring payments that are considered 'merchant-initiated' (i.e., direct debit payments) or payments carried out in person with a card will not require SCA compliance. According to SiliconCanals, 'European internet commerce is expected to grow $1 trillion by 2022, and online fraud with it.' The European Central Bank now estimates around €1.3 billion in online fraud on European cards each year. This new European regulation will hopefully minimize scamming opportunities and create a more secure environment for online payments.
Small amounts of less than € 30 are exempt from SCA requirements.
It is also possible for the customer to whitelist a payee (e.g., his preferred online store) so that no SCA is required when authorizing payments to that recipient. It should also be noted that the PSD2 only regulates payments within the EU. If, for example, an American pays for a German online shop, these payments are not covered by the requirements of the PSD2. In the case of payments from Great Britain, another legal framework could apply in the future.
Common and Secure Communication
Another essential element of the directive is the demand for Common and Secure Communication (CSC). The CSC requirements are designed to regulate the interaction between different payment service providers. The goal is to facilitate the introduction of two new types of payment services (Payment Initiation Services and Account Information Services). These new service providers can, with the consent of a payment service user, share access to the customer's payment account, which is provided and maintained by the customer's Account Servicing Payment Service Provider (ASPSP). And with this monstrous word-salad out of the way, let's pause here. Financial services are sometimes, and understandably, accused of being a dark art, with complicated terms and an impenetrable language all of its own. How about we tie this up in a neat little bow?
Pros and Cons for Consumers
+ Opportunity to consolidate all accounts in one place with continued protection under their product terms and conditions
+ Wide selection of convenient browser or app interfaces to monitor (bank) account details
+ Direct integration of bank accounts with merchant acquiring sites is comfortable and efficient
– Confusing responsibilities between PISPs (Payment Initiation Service Provider) and the ASPSPs in the event of loss
Advantages for Merchants
+ Diminished costs compared to card interchange
+ Immediate settlement into merchants' account
+ More direct relationship with the customer
Disadvantages for Banks
+ Opportunity to create competitive solutions by implementing new technologies and utilizing APIs
+ Brand advantage, customer trust
– Increased competition (not only with other banks)
– IT costs are expected to increase due to new security requirements and opening of APIs
– By the year 2020 9% of retail payment revenues are predicted to be lost to PISP services
– Reduced customer/consumer interaction (screen time)
PSD2 requires that banks allow customer-requested third-parties the connectivity needed to access customer account data and initiate payments. This will level the playing field in the financial services industry on a distribution level within the EU. Open Banking is, however, a global phenomenon, and similar regulatory movements can be observed all around the world. While the FinTech disruptors have proven they can lower costs and improve user experience, they may lack in customer trust as well as certain platform capabilities which established banks already possess.Return to Blog