The Payment Services Directive II or PSD2 is a European directive that will change the current regulation of banking and payments. The PSD2 will have to be taken into account by all those companies that offer payment services.
In this article, we want to touch on the essential points about the PSD2 regulation, its origins and how it can affect the payments industry, the payments landscape, and will give you ideas on this much-commented issue.
What is PSD2?
The Payment Services Directive II or PSD2 is a European directive aimed at regulating digital payment services. It is an important evolution in the existing payment regulations focused on offering better protection and security in transactions, promoting transparency, competition and the adaptation of financial services (payment service providers, banks, mortgage credit companies and other companies in the world of payments) to new technologies.
This update of the law reflects the importance that the world of ‘APIs’ or ‘Application Program Interface’ is acquiring in the different financial sectors.
The Payment Services Directive 2 (PSD2) allows retailers and consumers to bypass banks by allowing third parties access to their bank accounts, and to initiate payment orders in their name, subject to the authorisation of the account holder.
This change aims at reducing costs and increasing choice by widening the range of companies that can offer financial services.
The new directive entered into force as law in the Member States on 13 January 2018.
How does PSD2 affect you as a dealer?
The Strong Customer Authentication (SCA) rules will come into force for all digital payments in Europe. In order to accept payments after September 14 of 2019, you must ensure that you have this technical solutions in your online business.
To accept payments from the world’s largest card networks Visa or Mastercard, you must have implemented the 3D Secure security solution for your online shop. 3D Secure has been used since 2001 to improve security for online card transactions. But now a new version has been developed to meet the requirements of PSD2 Strong Customer Authentication.
What is the difference between exemption and exclusion?
Exclusions are transactions that fall OUTSIDE the scope of the PSD2 SCA rules:
- Order by e-mail/telephone order
- Buyer or cardholder is located outside the EEA zone.
- Anonymous prepaid cards
- MIT (merchant initiated transaction) – transactions initiated by the merchant
Exemptions are transactions that fall WITHIN the scope of the PSD2 SCA rules:
- Transactions of low value
- Subscriptions
- Risk analysis
- Whitelisting
Difference between PSD2 and PSD
Although the core of the regulation is very similar to the PSD, the most significant changes are the following:
The creation of two new categories of payment services:
Payment Initiation Services.
Account Information Service Provider (AISP) status allows new players to access account information, including balances and transactions, from one or more accounts and from one or more banks.
Account Information Services.
Payment Initiation Service Provider (PISP) status gives new players the ability to initiate payments on behalf of the payer. Instead of initiating the payment from his bank, the user can initiate the payment through the PISP, which in turn transmits the instruction to the bank.
More security in online payments and account access.
Allowing new players to access customers’ bank accounts is always risky. To reduce risks, new security requirements have been introduced along with a higher level of control for AISP and PISP related integrations.
Why was it created?
The goal of PSD2 is to ensure that the customer is the centre of every transaction. While customer fees and costs have historically been somewhat opaque and difficult to calibrate, PSD2 aims to change this by introducing transparency, minimum service requirements and drastic measures in complaint procedures and data collection. It should reduce the overall costs of payment services.
What can I do to comply with PSD2 and SCA?
First, you must ensure that 3-DS is activated in your online shop for all payment methods (Visa, MasterCard, American Express, Carte Bancaire, JCB). If this is not the case, please contact your support to activate 3DS for you.
The individual banks will also implement the new version of the security procedure differently. For example, it is possible that you first enter your card data and then confirm the purchase a second time with a TAN or a one-time password. It is also conceivable that you could use the banking app to prove your identity with a fingerprint.
With the new variant of the 3D Secure procedure, more information is exchanged between the merchant and the bank than before; this can be over 100 data points. The data includes, for example, information on the browser, the device used (mobile phone, tablet) and the delivery address.
This enables the bank to check, for example, whether the data transmitted by the merchant matches the data that it already has on hand from its own customers. This should make it easier to detect misuse. The data is stored by the card-issuing bank, but is usually deleted after one year.
Essentially, you have two options to comply with the new regulations…..
Apply for a PSP license and be regulated directly, which is very rare and time-consuming. It can take months to implement all policies and the cost of documentation and applications can amount to hundreds of thousands of euros, and even then there is no guarantee of obtaining.
Or to work with a PSP-licensed payment company and allow them to maintain control over the funds paid by their merchants like Truust.
PSD2 applied to the business model
Most marketplaces collect payments from their users before the delivery of the product or service has taken place. From January 2018 this activity is regulated for the European Union. This means that in order for a marketplace to be able to operate with a client’s funds, it is necessary to have a license.