The Revised Payment Service Directive (PSD2) is a legislative framework designed to protect the payments industry, both consumers and providers. Established in 2018, PSD2 brought about a set of regulatory changes that would address the rise of open banking and create healthy competition from new industry entrants (e.g. fintech companies) who could instigate rapid innovation.
For merchants, such significant reform to the original PSD by the European Union offers both benefits and challenges. There are plenty of new opportunities, but the compliance and regulatory changes will impact merchants and business markets, even those outside the EU.
Let’s explore PSD2 requirements and how you can best prepare for the changes affecting the payment industry.
Who Must Comply With PSD2?
PSD2 applies to all businesses that deal with financial services. The directive covers jurisdictions in the European Union and extends to consumers in EU member nations. So if you are an American enterprise with European business, you must by extension achieve compliance.
The language of PSD2 relates to specific financial entities: Credit institutions, payment institutions, and third-party service providers. Each entity can also take on several roles within the payments system, adjustments designed to help new forms of service providers gain industry access. Previously, most payment transactions (and the associated data) relied upon financial institutions. But under the new directive, new account holding institutions can also offer payment services to consumers. Such changes increase competition and can regulate the new players with strict data security requirements.
PSD2 does have a knock-on compliance impact for businesses. Even though merchants do not manage the payments industry, the banks and financial institutions you utilize do, and they will now disregard any payment transactions that do not meet PSD2. By regulating the key financial players, consumers remain protected, all while opening the industry to far more payment account holders that can bring about rapid change.
What Regulation Changes Do the New PSD2 Requirements Make?
PSD2 states six regulatory changes within EU internal payment markets:
- Positive Scope: The directive expands regulations regarding who falls under its regulatory scope. Regardless of the currency used, businesses and consumers located or dealing with EU member nations fall under PSD2 and must abide by its outlined transparency rules.
- Third-Party Providers: PSD2 introduced (and now regulates) new market players, most notably Payment Initiation Services (PISP) and Account Information Services (AISP), both of which aggregate financial data and facilitate online banking.
- Responsibility: PSD2 strengthens the first PSD’s language regarding which financial service players are responsible for the protection and monetary damages in the event of fraud, helping further protect the payments environment.
- Security: PSD2 announces new directives regarding the protection of data. In particular, the Central Electronic Register is established to house and protect customer data related to financial transactions.
- Fees: PSD2 also declares restrictions on tariffs and potential surcharges applied to customers (and who shares in those earnings). Exemptions to regulations under specific conditions are outlined, such as the value of a single contactless transaction that does not require two-factor authentication.
- Negative Scope: Certain entities are exempt from PSD, and PSD2 restructured those restrictions. Entities with exemptions include commercial agents, charities, and digital telecommunications (there are additional detailed changes for automated teller machines).
What Additional Requirements Does PSD2 Put On Merchants?
For merchants, such regulation changes force you to take a number of actions to remain compliant with any EU member nation business branch or consumer base. Most PSD2 details refer to how you and your customers securely share and interact with payment accounts and financial data.
- Open APIs: Application Programming Interfaces (APIs) help differing technology solutions to communicate with each other. Within the payment industry, this means that AISPs can access collected customer information for improved service, assuming the customer gives permission.
- Multi-Factor Secure Customer Authentication: A core aspect of PSD2 is the inclusion of Secure Customer Authentication (SCA). All payment processors (and by extension, businesses who collect customer transactions), must obtain at least two authentication factors for user logins, helping protect all payments infrastructure.
- Increased Transparency: For merchants and enterprises, you must now create store policies, sales terms and conditions, and details about currency exchange rates according to specific regulatory requirements.
- Complaint Resolution: Customer complaints and disputes remain a point of contention between consumers and businesses, and PSD2 addresses the timely resolution and proper reporting to law enforcement and other EU regulatory institutions.
- Surcharge Restrictions: Under specific conditions, enterprises can no longer apply surcharge fees. For example, delivery websites cannot charge extra when a customer uses a debit or credit card for payment.
What Is Strong Customer Authentication?
Most businesses and enterprises are affected by the necessity for strong customer authentication compliance outlined by PSD2. To accept payments, you now need to obtain at least two authentication aspects for any customer-initiated transaction.
|Something The Customer Knows||
|Something The Customer Has||
|Something The Customer Is||
For example, if a client wants to make a card-not-present purchase, they must provide two data points to reach authentication. The two data points must come from different authentication categories—collecting a password and a PIN does not meet compliance. But if the customer submits both a password and a fingerprint scan, they are authenticated and can proceed with payment.
Since nearly every business-to-consumer payment transaction falls under the scope of SCA, it must become an integrated system within your checkout flow. Most merchants can utilize 3-D secure, a compliant verification protocol for online debit and credit card use.
While SCA might feel like an extended hassle, it is a crucial solution that can limit and deter fraud within the payments industry. A safe transaction environment will lead to improved sales via user confidence.
There are specific conditions that allow a business to remain exempt from employing strong customer authentication.
- Recurring Transactions: Since recurring payments (i.e. memberships, subscriptions, monthly services) are merchant-initiated, they are considered SCA exempt. To stay compliant, the enterprise must utilize SCA for the initial payment, and the sum transacted for each billing period must remain the same. Any change will once again require proper authentication.
- Contactless Payment Transactions: If a customer makes a contactless payment (e.g. smartphone digital wallet) at a verified point-of-sale (POS) terminal, then strong customer authentication is not required. Restrictions do apply in this scenario, as the value of the exchange cannot exceed 50 Euros and the total value of sequential transactions cannot surpass 150 euros. After five transactions, authentication is once again required.
- Low-Value Remote Payment Transactions: Transactions initiated from remote or long-distance communication devices (i.e. online) are exempt from SCA as long as the value of the transactions does not exceed 30 Euros. The total amount of transactions cannot exceed 100 euros or five consecutive exchanges for partial payments.
- Customer Account Access: Merchant and customer accounts facilitate online payment systems. If a user wants to access an account linked to a merchant shop, they only need to input SCA for the initial login. If the user does not access the account for ninety days, they are once again required to log in with strong customer authentication.
- White-Listed Merchants: Customers and businesses, under specified conditions, can white-list known merchants that they engage with often. All merchant transactions are explicitly allowed in advance and do not require repeat SCA.
- Corporate Transactions: Designated corporation-to-corporation transactions do not require strong customer authentication
- Designated Authority: Issuers can provide third-party institutions to perform SCA on their behalf, a way to outsource any SCA requirements.
PSD2 Breach Penalties
Article 103 of the payment services directive states that each EU member state will determine and enforce the applicable penalties for non-compliance. Any infringement will be publicly disclosed and must be dissuasive. There are reports that penalties and fees can reach up to 4% of global turnover, so it is best to follow the technical API and data reporting compliance protocols.
In particular, payment service providers are required to report a data breach within four hours of becoming aware of a major incident. Intermediate reports are also expected within three-day intervals. Failure to comply with data breach reporting can result in further penalties.
If needed, you can request an exemption from PSD2, but you must showcase several data security measures with any application:
- Transaction Monitoring
- Proof of low-risk transactions
- Fraudulent transaction submission to the European Banking Authority
- Systems audits and proof of security implementation
- The inclusion of one-time passwords for each transaction to help deter repeat hacking by bad actors
In most cases, achieving standard API and SCA compliance is far more efficient for your business and customers.
While PSD2 does require merchants and financial institutions to incorporate more IT infrastructure, security, and data protection, it serves as an excellent way to protect the payments environment. In addition, it allows new players to enter the industry, helping drive innovation within open banking. Even if you do not have European customers or business units, PSD2 informs necessary and useful security practices for all businesses that utilize online payments. Reaching compliance is an efficient and safe way to build an exceptional business-to-customer experience.