The introduction of the new EU PSD2 directive is going to change the processes involved in making payments online. The impact that this new directive will have on both businesses and consumers could be quite disruptive if preparations are not made. PSD2 comes into effect this month from Saturday, 14 September.
What is PSD2?
PSD2, also known as Directive 2015/2366/EU, stands for Payment Services Directive 2. It is an EU Directive that applies to payment services in the EU. On 13 January 2018 PSD2 became law in Ireland.
PSD2 builds on the scope of the first EU Payment Services Directive (PSD) which entered into force in 2009. PSD set out common rules in relation to certain types of electronic payments, such as; direct debits, card payments, credit transfers, as well as mobile and online payments.
A primary goal of PSD2 is to make payments within the EU more efficient and secure. By improving security measures for electronic payments, it will provide greater protection for consumers. PSD2 will open up the market of electronic payments to new entrants, creating competition and ultimately better prices for consumers.
The new payment services providers are known as:
Payment Initiation Service Providers (PISPs)
PISPs assist consumers with online credit transfers while informing the merchant of the payment. They offer an alternative to credit card payments, with the consumer needing only an online payment account.
Account Information Service Providers (AISPs)
AISPs provide consumers and businesses with a global view of their financial situation. AISPs can consolidate a consumer’s current accounts across a number of providers and help them plan financially by categorising their spending.
Under PSD2, PISPs and AISPs can now offer new regulated payment products and services to compete with banks and other traditional payment services providers.
What will PSD2 mean for consumers?
PSD2 will make it easier and safer for consumers to use internet payment services. The new directive should create better protection for consumers against fraud, abuse, and payment problems. It will promote new and innovative mobile and internet payment services, as well as help to strengthen rights for consumers.
In cases where an unauthorised transaction has taken place on a consumer’s account, they will have a maximum liability of €50. Exceptions exist where it can be proven that the consumer acted fraudulently, or was grossly negligent.
Under the SEPA Direct Debit Scheme consumers were given an unconditional eight-week refund right. This has become protected in EU law by PSD2.
Under PSD2 the practice of surcharging is prohibited. Retailers can no longer charge fees to consumers for using debit or credit cards.
PSD2 allows consumers engaged in payment services to terminate a contract for the provision of payment services free of charge after the initial six months, as opposed to twelve months.
The law reinforces the existing requirement for all payment services providers to have a complaints resolution procedure.
How will PSD2 affect businesses?
Strong Customer Authentication (SCA)
SCA was created to improve the security of transactions. As a component of PSD2, it will have a direct effect on eCommerce businesses. Businesses must provide card issuers with two-factor authentication during the period of a transaction. Under SCA payments must be authenticated using a minimum of two of the below three elements:
- Something the consumer knows. This can be a password, a PIN number, or a security question.
- Something the customer has. This can be a phone, hardware token, or some other device in the consumer’s possession.
- Something the consumer is. Such as a fingerprint, facial recognition or an iris scan.
In order to meet these authentication requirements, businesses will need to adopt 3DS 2.0.
What is 3DS 2.0?
3DS 2.0 (3D Secure 2.0) is an authentication protocol created to reduce fraud and merchants’ liability to chargebacks while increasing consumers’ security. 3DS 2.0 is here to meet the needs of remote payments.
3DS Standard, which precedes 3DS 2.0, provides extra security to help reduce the possibility of unauthorised transactions. Examples of 3DS can be found in branded names like; Secure, SafeKey, and Identity Check for card providers like Visa, American Express, and MasterCard.
3DS 2.0 aims to address many of the shortcomings of the 3DS Standard. Firstly there is a less disruptive authentication process and a better user experience.
3DS 2.0 enables businesses and payment providers to transfer more data elements on each transaction to the consumer’s bank. This can include data such as; the consumer’s shipping address, the consumer’s device ID or their previous transaction history. This information can then be used by the cardholder’s bank to assess the risk level of the transaction.
If the cardholder’s bank finds the data to be sufficient to prove that the genuine cardholder is making the transaction, the payment is then put through the frictionless authentication flow and can be completed without the need for any extra input from the cardholder.
In the event that the bank needs further proof, then the transaction is put through a challenging flow, resulting in the bank requesting further input from the consumer in order to authenticate the payment. Whether a transaction goes through the frictionless flow or the challenge flow, businesses will benefit from the same liability shift.
Who needs 3DS 2.0?
Businesses with a large European payment volume will be required to implement 3DS 2.0 in order to comply with SCA and PSD2.
What businesses should do next
Businesses that process remote payments will have a payment service provider. It is recommended that businesses contact their provider and request an update on 3D Secure 2.0. Enquire whether or not you will need to install a newer version of the payment gateway extension on your website.
If you would like to learn more about PSD2 you can contact us using the form below: