PSD2: An Overview of the Second Payment Services Directive

Although there is a lot of talk about PSD2, we understand that the information contained in the directive can be, and indeed is, overwhelming. To understand the primary motivation behind the PSD2 regulation, we covered key points relevant to you and your business on a single page. 

What is PSD2?

As stated by the official summary of the PDS2 directive, the main goal of the regulation is to provide a legal foundation for the further development of electronic payments within the EU. It is a comprehensive set of rules aiming to make payments within the EU simple, efficient, and secure. Motivated by offering a broader set of choices and better prices for consumers, PSD2 advocates opening up payment markets to new participants, to create more competition, leading to greater efficiency and strengthening consumer's trust.

The directive strives to enhance the existing set of EU rules regarding electronic payments. It emphasizes innovative and emerging payment services, such as internet and mobile payments. Rules stated in the directive concern security requirements, i.e., safeguarding consumer's financial data, promising secure authentication, and reduction of online payment fraud rates. Transparency is another key point that PSD2 advocates in order to provide accurate and timely information about requirements regarding the payments services. PSD2 establishes the rights and obligations of participants involved in the online payment environment. The users, as well as providers of payment services.

Several notable suggestions regarding leveling the payments playing field are pointed out, and those are the following:

1. Expanding the EU payments market – PSD2 advocates opening the payment market to new participants in an effort to decrease the monopoly banks have over the customer's accounts and payments services, promising increased efficiency without compromising the security of online payments,
2. Empowering consumers – consumers have reduced liability for non-authorized payments, unconditional refund rights for a predefined period of time (8 weeks), eliminated surcharges for the use of a consumer credit/debit card,
3. Restricted interchange fees – PSD2 limits interchange fees between banks for card-based transactions in an effort to reduce merchant costs for accepting credit/debit cards as a means of payment.

What happened to PSD?

The first payment services directive dates from 2007. While it set out good practices and regulated guidance on rules regarding payment services, as of today, it is obsolete. With the rapid evolution of ''all things digital'', new e-commerce trends, authentication methods, and the overall innovative approach to payment markets, PSD was outdated and needed an upgrade. Now that we had a brief history lesson let's get back to our main topic.

PSD2 participants

With new regulation came new terminology, and below are the ones concerning PSD2:

AISPs (Account Information Service Providers) – Providers that can ask for permission to connect to a bank account using an API. They use that bank account information in order to provide a service. Having access to such data implies a ''read-only'' approach, i.e., they can't move the fund from the account.

ASPSPs (Account Servicing Payment Service Providers) – A customer's issuing bank that provides and maintains payment accounts. They publish APIs so that the customers are able to share their account data with TPPs in case they want them to initiate payments on their behalf.

PISPs (Payment Initiation Service Providers) – Authorised PISPs are able to move funds on the customer's behalf upon connecting to the bank account. An example of a practical use case is the automatic transfer of funds to a customer's savings account.

TPPs (Third-Party Providers) – Third-Party Providers are either/both Payment Initiation Service Providers (PISPs) and/or Account Information Service Providers (AISPs).

PSUs (Payment Service Users) – Users of any of the above mentioned service providers.

What changes PSD2 brings?

PSD couldn't foresee trends in the payment industry ten years in advance, and that is why PSD2 steps in. It brings a fresh set of rules in an effort to enable modern, innovative payment services to users. PSD2 provides them with the highest level of security in terms of online payment fraud, which is constantly present. A comprehensive list of the most important payment threats published by the Europen Payments Council makes you think twice before entering your card data to process an online payment, and it should. Take a look.

The 2019 Payment Threats and Fraud Trends Report provides an overview of the most important threats in the payments landscape, including:

1. social engineering,
2. malware,
3. advanced persistent threats (i.e. sophisticated targeted malicious attacks aimed at a specific individual, company, system, or software),
4. mobile device-related attacks,
5. denial of service attacks,
6. botnets (i.e. a network of private computers infected with malicious software and controlled as a group),
7. threats related to cloud services and big data, IoT, virtual currencies

Strong Customer Authentication

In order to combat fraud, PSD2 introduced Strong Customer Authentication (SCA). PSD2's weapon of choice protects customers by demanding them to authenticate with two out of three authentication elements, namely:

1. Knowledge - something the user knows (PINs and passwords, for instance)
2. Possession- something the user owns (a token or a mobile phone)
3. Inherence - something the user is (biometric authentication including fingerprint, face recognition, voice scan)

Initially, this put pressure on issuers and merchants. They were wary of the effects it will have on the overall traffic. The added authentication steps could potentially drive away the customer from their purchase. But there is a cure for this disease, and it comes in the form of SCA exemptions within the scope of the SCA mandate.

SCA exemptions

SCA exemptions include various scenarios where SCA is not necessary. The customer is not asked for an additional authentication step during the processing of a payment. SCA exemptions are the following:

1. Low-risk transactions – within other innovative approaches in the payments industry, shared information about customer's account data-enabled risk scoring or the so-called Risk-Based Authentication. It enables risk assessment of an individual transaction, deeming a transaction either high, medium, or low risk. In case a transaction is classified as low risk based on predefined parameters, additional authentication is not needed.
2. LVP (Low-Value Payment) – transactions less than or equal to 30EUR are considered low-value transactions and do not require additional authentication. This rule is applicable for up to five consecutive payments equal to or less than 30EUR and in cases when the cumulative value since the previous SCA is equal to or less than 100EUR.
3. Trusted Merchant Listing – The cardholder is able to trust list a merchant (if they are eligible for whitelisting, this is managed by the issuing bank) and avoid additional authentication because they believe that the merchant is known and can be trusted.
4. Corporate payments – processing payments with a card that belongs to an entity rather than an individual.
5. Recurring payments – Subscriptions, loans, and similar payments with a fixed amount require SCA only for the first payment. In cases where the amount changes, SCA is mandatory for each individual change.

Out of scope - SCA

There are other scenarios that are out of the scope of the SCA requirement but are not classified as SCA exemptions.

1. Merchant-initiated transactions – payments initiated by the merchant on the customer's behalf based on an agreement.
2. Mail order/Telephone order – commonly known as MOTO transactions, they are out of the scope of the SCA requirement.
3. One leg out transactions – Cases where either the card issuer or acquirer (or both) are outside the EEA.
4. Anonymous transaction – Cases where a gift card is issued to a customer without identifiable cardholder credentials.

3D Secure 2.0

3D Secure is a protocol that enables Strong Customer Authentication and protects online payments by adding an additional layer of security. It is the main determinant for PSD2 compliance and enables both payment service providers and merchants to achieve alignment. You can get more insight on the latest version of the 3D Secure protocol in our blog post. 

How to achieve PSD2 compliance?

If you're a merchant or a PSP, main question of the day is: Am I PSD2 compliant? If not, how do i become PSD2 compliant?

Merchants need to decide between two options. One option suggests that they pick a PSD2 compliant PSP. This relieves them from all the administrative aspects of compliance and enables them to focus on their primary business. The second option advises merchants to integrate authentication into their checkout process. This requires more effort financially but enables them to be PSD2 compliant and in charge of the customer's checkout experience.

If you're an issuing or an account-holding institution, you want to follow the following steps: create APIs in order to enable transactional payment data access, provide access to accounts to TPPs, make sure you have a Consumer Identity and Access Management solution set up in place, and finally implement the network and API security infrastructure.

Lastly, Third-Party Providers must take care of their PISP or AISP license. They need to establish a trust framework with banks and financial institutions. Next, they need to develop secure apps including user consent and fraud monitoring. Lastly, TPPs need to implement a consumer IAM solution.

Key takeaways

Although PSD2 is causing a stir in the online payments industry by demanding fast onboarding and regulatory compliance, it brings an array of new opportunities for new players in the payments environment. Increased competition most definitely increases efficiency and boosts customer trust. By introducing innovative approaches in regards to online payment security, it reduces payment card fraud, as well as opens doors for further improvement in the risk assessment department enabled by extensive data sharing. Even though PSD2 enforces strict rules and binds the participants to comply, it is done in an effort to assure more quality services that do not compromise on security.

eBook: How to choose the right 3D Secure software

This eBook contains all the critical elements you need to consider while making intelligent, well-informed decisions regarding implementing 3D Secure technology.

eBook: How to choose the right 3D Secure software

To find out more about Trides2 portfolio, contact us or visit our blog section.