With the world having spent the majority of 2020 at home, the fast-paced reactions of businesses facilitated a ‘make or break’ experience for new and existing customers regarding contactless and alternative payment methods that soared in popularity during the pandemic. It’s hard to think that just three years ago, all payments were managed or processed through a bank, with some transfers taking several days to process.
Since PSD2 was launched in 2018, the aim was to create a more transparent online payments ecosystem for consumers in the EU, with several changes, including costs, protection from surcharges and reduced risk of fraud. Perhaps the most significant customer demand PSD2 answered with the change in third-party access to banking APIs was real-time, personalised and seamless payments.
Here, we’ve put together everything you need to know about PSD2 and the new laws aiming to enhance online security and regulate online payment services. The European Union (EU) regulation also sought to improve consumer protection, create a more secure payment environment, and lower the costs of payment services. As a result, PSD2 affects payment service providers (PSPs), banks and building societies, payment institutions and e-money institutions and their business-to-business (B2B) customers.
What is PSD2?
PSD2 is an EU directive aimed at regulating the industry of online payments across the EU and the European Economic Area (EEA). The legislation was introduced in 2018, and its purpose is to create a more integrated and seamless payments experience across all EU member states. PSD2 also introduced Strong Customer Authentication (SCA), a measure set to enhance secure payments and reduce fraud. With the implementation of stronger identity checks, PSD2 an additional step in the payment journey. However, the directive has several benefits that businesses can harness with the right payment service provider.What's the difference between PSD1 and PSD2?
The payments ecosystem evolved exponentially between 2007 and 2018, when the two directives were introduced. The difference between PSD1 and PSD2 is that the latter is an updated version that broadens the scope of its predecessor. PSD2 recognises third-party players, acknowledges a wider range of payment transactions and addresses some of the shortcomings of PSD1 as technology developed. The first Payment Services Directive was adopted in 2007. This legislation set the legal grounds for an EU single market for payments aiming to establish easier, safer and more innovative cross-border payment services. The proposal was signed in November 2009 and came into effect in December 2009. Its key functions were:- Before PSD1, only banks could provide payment services. PSD1 paved the way for fintech companies to enter the payments market and carry out financial transactions.
- Banks and other PSPs were required to be transparent about their services and fees, including maximum payment execution times, fees and exchange rates.
- It accelerated the development of the Single Euro Payments Area (SEPA) to facilitate the execution of payments.
Why is PSD2 important?
PSD2 is an important step towards a single digital market in the EEA, which aims to make the EU's single market fit for the digital age. The new measures also ensure all PSPs active in the EU are subject to supervision and appropriate rules. There will be wide-reaching implications for a range of parties, including banks, other PSPs, fintech companies and customers without the right payments partner helping companies navigate PSD2. In brief, here are the changes introduced by PSD2:- Two-factor Strong Customer Authentication (SCA) to be implemented across the majority of online transactions in the EEA.
- Retailers may directly ask shoppers for permission to use their bank account information.
- PSD2 outlines two types of regulated third-party providers (TPPs) that will be granted direct access to customer accounts; Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP).
- No more card transaction surcharges for B2C transactions.
- Improvements to consumer protection on payments.
What are Regulatory Technical Standards (RTS) of PSD2?
In November 2017, the EU Commission released the Regulatory Technical Standards (RTS) for PSD2. The RTS directly effect PSPs, card issuers and acquirers, in all EU member states. However, certain EU member states, including the UK, have implemented transitional measures for a phased implementation of the rules in the context of card-based payments for eCommerce transactions. The Regulatory Technical Standards are the technical implementation standards of PSD2 and SCA, expected to have taken effect on 31st December 2020. The following RTs specify the requirements of SCA, which is an authentication that: a) Is based on the use of two or more elements categorised as i. Knowledge (something only the user knows), ii. Possession (something only the user possesses), iii. Inherence (something the user is), and b) Ensures the elements are independent from one another, in that the breach of one does not compromise the reliability of the others, and c) Is designed in such a way as to protect the confidentiality of the authentication data.PSD2 and screen scraping
Screen scraping is now prohibited under PSD2, which sets the legal ground for Open Banking across Europe. Screen scraping is the programmatic use of a website that impersonates a web browser to extract data or perform actions that users would usually perform manually on the website. Despite being a commonly used practice, it has already been the subject of heavy litigation in Europe since the process was considered contrary to many issuers' general terms and conditions. Under PSD2, banks will be required to grant third parties access to customer data, given customers' explicit consent, via specific, dedicated APIs, but only about the particular service at hand. If you're interested about open banking, skip to this part.PSD2 compliance
To comply with SCA and PSD2, the best option for merchants is to implement 3DS2. 3DS 2 is the authentication protocol that complies with PSD2 and SCA requirements. It offers issuers ten times more data to make their risk-based decision on whether to present the 3DS window or not, which will reduce the number of challenges and help reduce the risk of fraudulent activity. It will also be optimised for mobile devices to improve user experiences, and all of these are on top of the chargeback liability benefit. 3DS 2 also helps answer the question for desktop or older smartphone users who do not have access to biometric functionality. So, whilst it is no silver bullet, 3DS 2 will help operators fulfil the two-factor authentication requirements, without adding another integration to their already stacked development queue.PSD2 implementation date
Although PSD2 has become part of each member state's legislation from 13th January 2018, there was an initial transition period until 14th September 2019 for SCA rules came into force. This was extended to 14th March 2022. As mentioned in our SCA guide, the extension was given so that it can give companies more time to complete the transition in the face of the global pandemic.PSD2 regulations within the UK
The new law has been applied in the UK and the rest of Europe on 13th January 2018. However, we expect additional rules that are currently under development to apply. The last update from the FCA was on 27th November 2020, which reflected that even in the event of a no-deal Brexit, the SCA would still come into effect on the given deadlines. Also, it reflected the limit increase of contactless card payments to £45. It is good to save the link to the FCA regarding RTS for CA and Common and Secure Open Standards of Communication or read the service update information from your payment service provider if and when the requirements change.GDPR and PSD2 - the challenges ahead
PSD2, EU GDPR (General Data Protection Regulation) both were introduced in 2018 as separate sets of legislation focusing on consumer data. GDPR aims to protect personal data, making it easier for consumers to know when their data is being used and raise objections about its use. PSD2 regulates the payments market but also creates access to personal data, allowing third parties to enter the payments market and provide new account information and payment initiation services. Any access these third parties have to personal data must comply with GDPR. As of 1st January 2021, GDPR was split into two regulations EU GDPR and UK GDPR, to reflect the UK leaving the EU after Brexit.What is SCA?
SCA stands for Strong Customer Authentication, which is an indispensable part of the PSD2 legislation. In a nutshell, SCA will require online payments in the EU between EU issued cards and the operator's payment provider located in the EU to process transactions using two factors of identification. They must be two of the following factors; something a person knows, something a person has or something a person is. SCA introduces mandatory two-factor authentication in online payments. The authentication process requires the consumer to answer either two of the three questions categorised as follows:- The knowledge factor (something only the user knows, e.g. a password or a PIN)
- The possession factor (something only the user possesses, e.g. the card or an authentication code generating device)
- The inherence factor (something the user is, e.g. the use of a fingerprint or voice recognition
Exemptions from SCA
All online payments are subject to SCA. However, the legislators have set certain exemptions which are applicable. We’ve put together an explanation on the core exemptions below, and outlined more in our SCA guide here:- Recurring transactions (i.e. in the form of memberships, subscriptions etc.), however:
- The first recurring transaction will need to be authenticated with two-factor authentication or multi-factor authentication.
- The sum of each consecutive recurring transaction must be the same every billing period for the transaction to be exempted from SCA.
- Contactless electronic payment transactions at a point of sale (POS) but:
- A single transaction cannot exceed 50 euros
- The total amount of transactions cannot exceed 150 euros or five consecutive transactions without authentication
- Remote electronic payment transactions of low value (i.e. payment transactions initiated on the internet or through a device that can be used for distance communication), however:
- A single transaction cannot exceed 30 Euros
- The total amount of transactions cannot exceed 100 Euros or five consecutive transactions without authentication
- Customers accessing online the balance of their payment accounts linked to your webshop:
- The first time your customers access the balance of their payment accounts, two-factor authentication must be applied.
- If there have been 90 days since your customers last accessed the balance of their accounts, two-factor authentication will have to be applied again.
Informing customers about SCA
Many merchants will be using 3DS 2.0 to meet the SCA requirements. There will be little to no impact on their customers' user experience for those already using it. Those who haven't implemented 3DS 2 yet will need to start educating their customers as soon as possible to reduce the risk of drop-off. In this direction, merchants may find transactional data to be of great benefit. Analyse your average transaction value (ATV) per payment channel in as much detail as possible, your customers’ ATV, their spending habits and your transaction routing capabilities. Not every transaction will be affected, but consumers will need to verify themselves at some point, either after a total spend of 100 euros or five transactions since their last authentication. Ways to optimise your payments include outlining how you are going to route transactions, who is going to be impacted and who isn't from the exemptions. It’s also good to inform customers that this is a Europe-wide requirement, and that it's not just your business changing their usual experience. Letting them know all eCommerce merchants must comply and that you will do your absolute best to make their checkout experience as smooth as possible features your proactive approach to payment security. This communication could also inform them that they won't always get the 3DS 2.0 window and educate them on how to whitelist your website with their card issuer. Consumers use a wide range of sites, and spending will vary depending on what they are purchasing; therefore, your message needs to be carefully considered and distributed at the optimal time specific to your offering.Things to consider before communicating with your customers
Did your competition implement PSD2 from day one? Will you lose customers if you comply before them? Will you lose customers if you aren’t already providing the most secure payment experience? Are issuers and PSPs ready, or is the roll-out sporadic? These are just a few questions to consider, along with how acceptance rates will be affected per country. Our advice is to get on the front foot, educate your customers, ensure your PSPs are ready and trial your solutions to analyse the impact. This will give you time to fine-tune the user experience and prepare your business for the potential outcome of the changes before 14th March 2022. The issuers' reaction is out of your control, but at least you and your customers will be well-prepared for all eventualities.Open Banking and PSD2
PSD2 provides the legislative and regulatory foundation for Open Banking. The nine largest banks in the UK are implementing Open Banking through the Open Banking Implementation Entity (OBIE), as mandated by the Competition and Markets Authority (CMA). The mandate also included a requirement for the nine largest banks to produce what's called an open API in the UK. Open Banking is the first collaborative implementation of Open APIs ever seen across Europe. Open Banking aims to enable third-party companies to give more accurate personal financial guidance, tailored to customers' needs and delivered securely, in confidentiality, with the use of Open API's. Under PSD2, banks will be required to grant third-party providers (TPPs) access to customer payment accounts, known as XS2A (Access to Account). Institutions wishing to act as Payment Initiation Service Providers (PISPs) or Account Information Service Providers (AISPs) must be authorised payment service providers (PSPs). Essentially, third-party companies will be able to use open banking APIs, only with the consumers' explicit, to access customer data and either provide an overview of a customer's payment accounts with different banks, all in one place (e.g. a mobile app), or to initiate payments directly from customer payment accounts (e.g. a retailer) - so long as they have the customer's consent.Open Banking and PSD2?
PSD2 provides the legislative and regulatory foundation for Open Banking. The nine largest banks in the UK are implementing Open Banking through the Open Banking Implementation Entity (OBIE), as mandated by the Competition and Markets Authority (CMA). The mandate also includes a requirement for the largest banks to produce an open API in the UK. Open Banking is the first collaborative implementation of Open APIs ever seen across Europe. It aims to enable third-party companies to give more accurate personal financial guidance tailored to customers' needs and delivered securely, in confidentiality, with the use of Open APIs. Under PSD2, banks will be required to grant TPPs access to customer payment accounts, known as XS2A (Access to Account). Institutions wishing to act as Payment Initiation Service Providers (PISPs), or Account Information Service Providers (AISPs), must be authorised PSPs. Essentially, third-party companies can use Open Banking APIs, only with the consumers' explicit consent, to access customer data to provide; an overview of a customer's payment accounts with different banks all in one place (e.g. a mobile app), or to initiate payments directly from customer payment accounts (e.g. a retailer) so long as they have the customer's consent.What is the difference between Open bankind and PSD2
There are two main differences between Open Banking and PSD2. Firstly, PSD2 does not specify the creation of API standards. In other words, each bank has the option to make their data available through different technical standards, only to add a layer of complexity for Open Banking Adoption across European banks. Moreover, PSD2 only opens access to customer transactional data for specific institutions, which must also be regulated PSPs. The CMA, on the other hand, could grant access to a broader range of third-party companies through its ‘whitelisting' process. For instance, the CMA has recognised that price-comparison websites (PCWs) do not fall within the scope of PSD2. It will, therefore, set up separate whitelisting arrangements under which PCWs can become authorised to access customer data.What does surcharging mean?
Acquirers pay a fee to the cardholder's issuing bank. This is called an interchange fee. The interchange fee is sometimes passed on to merchants, who subsequently surcharge it to the final customer or cardholder. This process describes surcharging.What are the PSD2 new surcharging rules?
Overall, the second Payments Service Directive aims to regulate the payments industry across the entire EU. Until recently, a majority of merchants have been classifying surcharging as an additional card scheme fee. PSD2 bans surcharging to all B2C transactions and certain B2B transactions. B2C payments under PSD2 Aiming to protect consumers across the EU and the EEA, PSD2 prohibits merchants from charging consumers additional fees for making payments by certain payment methods. For instance, merchants operating in the travel, retail or hospitality sector are no longer allowed to charge consumers additional fees for paying with a debit or credit card. This measure applies to transactions within an EU or EEA member state or across its borders in online or physical stores. The surcharging ban applies when:- The cardholder's issuing bank and the PSP of the merchant are both located in the EEA
- The consumer makes a payment using a debit or credit card (Visa and Mastercard), or payment in euros using direct debit or credit transfer (known as SEPA payments)