PSD2 – The EU’s Response to Online Payment Requests
The Payment Services Directive 2 is a set of rules defined by the European Commission that specifies access rights to customers’ bank accounts. Learn how customers can now allow third parties to use their bank account data.
There’s a presumption – a justified one – that online data are equally prone to theft and abuse as their hard-copy counterparts. Hence, different markets bring different legislation to regulate the field of digital payments.
The European Union and its governing bodies are always here to additionally regulate the economic conditions within the common market.
In this blog post, we’ll explain PSD2 – the sequel of the Payment Services Directive – and how it changes the payment procedures for merchants and buyers on the territory of the EU.
PSD2 Defined
The PSD2 refers to a rulebook on access rights regarding customers’ bank accounts, conceived and issued by the European Union. Fully named the Revised Payment Services Directive, it’s a sequel to the original PSD, dating back to 2007.
The main novelties that this version brings are:
- Allowing payers to access and utilize their banking data with a greater sense of autonomy.
- Letting bank account holders share their banking information with third-party payment providers (TPPs); in this sense, the PSD2 defines the rules under which banks need to provide TPPs with access to customer’s bank accounts and payment information. All these democratize how consumers use their bank accounts and carry out online payments.
In addition to determining the rules on TPPs handling digital transactions, the PSD2 also prescribes various prerequisites and requirements to ensure the highest level of customers’ personal and payment data security.
The main purpose of this directive is to make electronic payments on the territory of the European Union fraud-proof and transparent.
CheckoutGate Intel: CheckoutGate is keen on complying with all the relevant regulations, including PSD2. Our legal and finance experts are here to keep an eye on updated initiatives and rulebooks on our clients’ behalf, ensuring cost-effective and frictionless payment operations.
How Does PSD2 Function?
We’ve mentioned above that the PSD2 is primarily aimed at putting more power into the consumers’ hands and letting them control their bank accounts more effectively. It demands that banks enable TPPs to access customer payment information at the customer’s request to carry out the pre-defined services. The goal is to establish a modern, tech-supported banking system across the EU called open banking.
How does this look in practice? Let’s say you want to allow an accounting or budgeting app to access your bank account. Under this updated directive, the bank is obliged to authorize such a software solution to get into the consumer’s bank account. So, this regulation has been adopted in favor of any software tool that handles invoicing, budgeting, payment automation, and other relevant fintech services.
That being said, those third-party payment providers can’t just come in from the cold. Equally important as the liberalization of the banking and payment market throughout the European Economic Area (EEA), the PSD2 requires that each TPP must be registered, verified, and monitored by the local financial bodies in each respective member state. The directive in question specifies what institutions are in charge of handling the supervising operations over those third parties.
PSD2 – Technical Aspects
Unlike the PCI Compliance regulations – brought and monitored by the PCI Security Standards Council – strictly technical requirements as a basis for secure payments, the PSD2 is rather a group of legal regulations. In line with that, payment processing entities and banks can build their own solutions but they must be compliant with the PSD2 directive.
Translated to real-life examples: payment processors and banks needed to adapt their payment procedures to become PSD2-compliant. It included upscaling their payment authentication methods via SMS authentication and credit-card tokenization software. All these ensure that strong customer authentication becomes a standard security procedure for electronic payments in the EU, in line with the 3D Secure 2 Protection features.
Upon the adoption of the PSD2, merchants became aware that they had to establish partnerships with PSD2-compliant payment processors and banks.
How Does PSD2 Handle Security and Consumer Protection
The PSD2 initiative has shaken the European payment market, having made it more flexible, secure, and competitive.
We’ve already discussed the open-banking concept and the fact that TPPs can now access consumer’s banking data, at their – consumer’s – request and consent.
In terms of personal data protection and information impenetrability, the PSD2 obligates banks and payment middlemen to implement strong customer authentication. In other words, there must be at least two factors with which a customer confirms their identity as they want to access their online accounts to manipulate their financial and personal data.
The authentication is carried out through the following three elements:
- Something the consumer owns. The example mentioned above of an SMS code sent via a smartphone or software token generated through a consumer’s phone or computer is something the consumer owns.
- Something the consumer knows. A payer, i.e., a cardholder, knows their card pin, the answer to a secret question, or the password.
- Something inherent to the consumer. Specific biometric data is inherent to a particular person. Fingerprint scan, eyeball scan (iris), and face recognition are only some examples of features uniquely inherent to every person.
Combining the factors above within a payment provider’s multi-factor authentication system dramatically increases consumers’ security when making online payments within the EU.
SCA Exclusions under PSD2
Even though payment security is a must-follow element of digital transactions, it might sometimes seem inconvenient. Therefore, the PSD2 allows for certain exclusions, when payment service providers and consumers don’t have to comply with SCA regulations, as in:
- Subscriptions. For subscriptions agreed between the subscription provider and consumer, usually, only the first payment request asks the payer to go through multi-factor authentication.
- Certain contactless payments. The PSD2 doesn’t prescribe applying SCA for contactless payments up to 30 EUR. This exclusion is terminated in the case when a consumer conducts five or more consecutive 30-EUR transactions and exceeds the €150 threshold. They must undergo SCA for the next payment.
- Card-not-present payments up to €30. Making online payments lower than 30 EUR doesn’t require strong customer authentication. However, once the payer gets to the 100-EUR limit or makes four or more consequent 30-EUR transactions, they’ll have to provide the necessary authentication factors for the following payment.
- Transferring to your own accounts. When the payer is the owner of both accounts involved in the money transfer, there’s no SCA.
- Whitelisted entities. If a consumer makes recurring payments to a certain entity – say, paying electricity bills to a certain provider – they can ask their card issuer to whitelist the payee in question. Hence, they won’t have to undergo the SCA procedure when making their monthly payments.
As a rule of thumb, SCA is here to protect you as the payer, consumer, and bank client. Hence, it’s recommended not to require exclusions from multi-factor authentication unless this additional procedure significantly affects your production and efficiency.
Conclusion
PSD2 is one of numerous frameworks, initiatives, and regulations that the European Commission and the European Central Bank have brought and will keep adopting to keep all parties safe.
As merchants, you must comply with such regulations to keep both your customers’ and your own business data spick and span. CheckoutGate is your ally in the quest to establish and handle an online payment system. Contact us and have your merchant account opened in the shortest time possible: https://acceptpaymentsnow.typeform.com/to/NbSkFD7R.