Introduction: What is PSD2?
In summary: PSD2 is a set of regulations established in the EU to protect consumers and improve the online payment process.
Implemented between January of 2018 and September of 2019, PSD2 regulations have far-reaching implications for companies that do business in the European Union.
With its high-level goal of improving consumer safety and streamlining the online payment process, PSD2 is changing the way many do business and process payments both in the EU and beyond.
What exactly is PSD2 and what implications might it have for your business? Let’s discuss this in detail.
The Payment Service Providers Directive, 2007
To truly understand PSD2, one should begin with a clear understanding of the original Payment Service Providers Directive (PSD) established in 2007.
This directive established by the European Commission was created with the goal of helping the establishment of a single payment market in the EU by regulating payment services and payment services throughout the EU and EEA.
Through these efforts, the European Commission hoped to increase competition in the payments industry across Europe while providing an even playing field for non-banks and enhancing consumer protections.
The PSD addresses two main sections of the payments industry:
- It defined which organizations could provide payment services. In addition to banks, central banks, and governmental authorities, electronic money institutions, or EMIs, and payment institutions, or PIs could both provide payment services. If an organization was neither an EMI or a PI, it could apply for the right to pass payments from its home country to other EU countries, if they met certain requirements.
- It also defined the level of transparency payment service entities would need to maintain with regards to charges, exchange rates, and more. These conduct rules also provided oversight to how users and providers could perform transactions.
Additionally, all countries within the EU had to establish an in-country authority that would provide supervision of all PIs in that country, ensuring that these organizations stayed in compliance with the conduct rules and organization rules defined within the PSD.
Updates were made to the PSD in 2009 and 2012 respectively before the European Commission proposed an amendment in 2013.
The goal of this amendment, which would create what would become known as PSD2, was to enhance further consumer protections and drive even more innovation in the payments sector.
Key Points in the PSD2
The implementation of the PSD2 in 2019 has resulted in some seismic shifts in the payments industry, because of the following two, key points:
SCA
The PSD2 states that online businesses must implement what is known as “Strong Customer Authentication”, or SCA for any purchase in which the banks at either end of the transaction are with the EEA.
This additional step in the payments process requires that the credit card owner initiating a payment must confirm additional details beyond standard credit card specifics (i.e. card number, CVV code, etc.) via 3D Secure.
There is some flexibility in how SCA is implemented.
Each institution can choose, for example, how to structure the authentication of these additional details based on their existing tech infrastructure and resources. Options include having the customer log into an existing account or having the customer enter a code sent via SMS to a mobile phone, to name just two.
Third-Party Payment Service Providers
Another way in which the PSD2 has created big change in the payments space comes from the fact that it now allows banks to open their payment services to third-party entities, or TPPs.
This was due, in large part, to the increasing popularity of both Payment Initiation Services, third-party entities that facilitate using bank accounts to make online payments, and Account Information Services, which aggregate customer data in one place to give the consumer a holistic view of their finances.
The PSD2 removes significant barriers that have, until now, prevented TPPs from offering solutions in these popular spaces across the EU.
With the advent of PSD2, it is now expected that TPPs will step in to innovate and develop large-scale financial solutions across the EEA.
By enabling TPP access to account information, the PSD2 has smashed the monopoly by banks and central banks, allowing online entities to expand their payment services.
Where does PSD2 apply?
As stated above, the PSD2 applies to any transaction in which the transmitting and receiving bank are within the EU or EEA.
It will, however, have some impact on businesses in other regions, including the US. Any merchant doing business in the EEA will need to ensure that their transactions are SCA-compliant, for one.
Businesses outside of the EU that have plans to expand eventually into the EU should get ahead of the curve and begin early adoption of PSD2 compliance.
Finally, international businesses with headquarters outside the EU but with entities within Europe should implement PSD2 compliance in-house to reduce the occurrence of declined authorizations and payments.
Regulations similar to PSD2 are also in play in New Zealand and Australia, so Asian businesses doing business in Oceania would do well to make the adjustment sooner rather than later.
PSD2 compliance
In short, PSD2 compliance means meeting SCA requirements.
A business must present customers with a CDS authentication flow during the online purchasing process in order to confirm the customer’s identity and confirm that they are the valid account holder on a credit card.
If these authentications are not implemented into an online merchant’s checkout flow, card issuers will decline the payments on any transactions that fall under PSD2 requirements.
Transactions that are exempt from PSD2 requirements include cash payments and Merchant-Initiated Transactions, or MITs. An example of an MIT might be a recurring subscription charge on a customer membership.
How expensive is it to comply with PSD2?
The cost of PSD2 compliance has prevented some EU merchants from making the necessary changes in time for PSD2 implementation. A single large EU bank could see costs of over 30 million Euros to get in compliance.
As an alternative, some of these merchants have turned to third-party payment processors to handle transactions.
PSD2 Impact
What will the impact of PSD2 be on business and financial institutions?
The directive’s impact will vary, largely depending on whether an entity is an issuer or an acquirer in a transaction.
Banks
Acquiring banks will need to implement 3DS 2.0 stepped-up authentication for all transactions over 30 Euros.
This will require more detection and protection of customers during a transaction and will require real-time transaction monitoring and risk analysis.
Issuing banks face more pressure from SCA as they will have to navigate complex specifics when it comes to authenticating a user.
Issuing banks will need to select their authentication protocols carefully so that they do not create customer friction during the purchasing process.
A customer trying to make a purchase, for example, who is online via Wi-Fi but not in range of a cellphone tower might not be able to complete a purchase if authentication is done via SMS.
Merchants
Large-scale online merchants, such as Amazon, will now be able to leverage their own payment options when processing online sales, making the new directive something of a coup for them.
Smaller merchants, however, will need to take a different, risk-based approach to make the transition to PSD2 compliance easier by taking advantage of the exceptions to the two-factor verification process.
These might include single, online transactions less than 30 Euros, one-off, contactless payments done face-to-face and under 50 Euros, or corporate payments initiated by a business and made via B2B cards.
How to be PSD2 compliant?
As a business owner, there are a number of ways in which you can become PSD2 compliant. The two, main approaches that will streamline your transition to compliance are:
Selecting a PSD2-compliant Payment Service Provider
Working with a PSD2-compliant PSP is a cost-effective and fast fix to PSD2 compliance. The PSP takes care of all compliance issues and can provide you with a hosted checkout so that your online payment processing ticks all the boxes with compliance.
Build authentication into your online payment process
In some cases, a business may want to retain control of the checkout flow or may not work with a PSP that offers a hosted checkout option. In those scenarios, a business will need to implement 3DS into the payment process independently. While complex, it will ensure compliance.
Latest PSD2 Updates and What to Expect in 2024
The PSD2, although groundbreaking in some sense, had issues and discrepancies that stood in the way of its uniform implementation over the EU. It posed technical challenges, raised security concerns and unevenly affected customer experience. Given these issues, a new PSD3 is being developed by the European Commission, which is expected to come into effect in a few years. This Directive will amend and modernize the current PSD2 that will become PSD3 and establish, in addition, a Payment Services Regulation (PSR).
A new PSD3 regulation is designed to harmonize the payment services rules across the EU, improve customer protection, amend the conditions for payment providers, and increase overall payments and data processing security. Although this Directive is yet to be adopted, there are already some PSD3 requirements that payment service providers need to be aware of and start preparing for their implementation.
- According to the PSD3 and Payment Service Regulation establishment, all new rules will be directly applicable through the Member States of the EU. Moreover, if before there was some freedom in rules interpretation, now they will be adopted uniformly across the Union.
- The single legal framework will be applied both to payment institutions and e-money institutions. The E-Money Directive known as the EMD2 that was dealing with electronic money will be repealed.
- New rules for the SCA (Strong Customer Authentication) will be introduced, and its application will be clarified in some instances. The main goal of the new SCA will be leveraging between decreasing fraud and maintaining user-friendly and innovative services. SCA exemptions will also be revised.
- Higher fraud liability will be established for payment service providers (known as PSPs). They will be obliged to take stronger actions in order to combat Internet fraud and scamming (like educating customers about possible fraud scenarios). The new Directive will also make PSPs accountable for refunding their users for fraudulent transactions.
- A new set of measures will be implemented in order to strengthen open banking payments. To improve the work and wide adoption of open banking, the connection between the third-party providers and customer bank accounts will be facilitated using improved APIs and other tools at banks’ disposal.
- The rules regarding the commercial agent exemption will also be revised and tightened, since before, under PSD2, a lot of payment providers used the status of exempted agents in order to continue their services without obtaining a license. With the new regulations, it will be more difficult for platforms and marketplaces to file for exemption for payments.
Overall, in order to ensure PSD3 compliance, all payment institutions should already start preparing their infrastructure and legal status aspects as it is expected that the European Union bodies will finalize the new regulations throughout 2024-2025. After this, the new Directive will be implemented into the national laws of Member States.
The Bottom Line
PSD2 compliance is essential for any business with an online presence or holdings in the EU. Fortunately, getting in compliance is easily done when done in partnership with the right PSP or consultant.
