What is PSD2 and how does it impact your daily card payments?

If you take card payments every day, you should кnow about the new legislation called PSD2. Standing for Payment Services Directive 2 and in force since 14 September 2019, this new document brings a number of changes to the world of payments. Don’t worry if you don’t know what they are – you will now find out!

Let’s start!

What is PSD2 and why do we need it?

Succeeding the Payment Services Directive of year 2007, PSD2 or the revised Payment Service Directive brings a number of alterations that aim to better protect consumers during online payments. 

The proposal to review PSD1 was part of a legislative measures package related to payment services, such as tighter regulations on interchange fees for card-based payments (the Interchange Fee Regulation).

The changes also aim to promote the development and use of innovative online and mobile payments, such as through open banking, and make cross-border European payment services safer. 

The original Payment Services Directive was implemented by the European Union Member States in 2009. Its aim was to create a legal framework for all payments in the European Economic Area EEA. It was also designed to guarantee speed, consumer protection, and efficiency. 

The second payment services directive, PSD2 is an updated version of the original. Officially approved and announced by the European Parliament in 2015, it reflects emerging technologies in the payment industry. The new directive came into effect around the same time as the General Data Protection Regulation.

The main goal behind the new directive is to create a modern and integrated European payments market. 

What are PSD2 card payments?

PSD2 card payments are card transactions that take place under the rules and regulations of the new derivative.

This means covering the following essential components:

• Strong Customer Authentication (SCA);
• Open baking and APIs;
• Full transparency.

These payments are mostly concentrated on Payment Initiation Services PIS and Account Information Services providers AIS. 

Account Information Services AIS are at the heart of PSD2. They enable merchants and shoppers to exchange information with third-party providers. Mostly used for analysis, dissection, and understanding data sets, AIS offers access to key financial insights through direct debits, balances, and more.

They offer a summarised view of a customer’s payment accounts and make sure that all of this information is recorded in a single place. 

On the other hand, Payment Initiation Services providers are simply online transactions. Payment services providers simply allow payment service users to input banking credentials to initiate payments.

These modern players play the role of intermediaries between financial institutions and businesses. This enables direct transfers as long as verification has been given. 

It’s important to note that to cover possible liabilities, PSD2 requires that both AISPs and PISPs hold Professional Indemnity Insurance. This insurance aims to cover any liabilities resulting from unverified access or the use of payment account information. 

But the most visible and important difference is the new requirement for Strong Customer Authentication (SCA) when making card transactions either face to face or in an in-store environment.

What are the strong consumer authentication (SCA) requirements?

The SCA or Strong Customer Authentication, is a pillar under the second payment service provider directive, designed to make electronic payment services safer than ever.

The SCA requirements that you must know about as a merchant or business owner are as follows.

Under the SCA requirements, you’re obliged to utilise a minimum of two of three authentication factors, like:

• Something the customer knows – PINs, passwords, or security question answers;
• Something the customer has – smart cards, hardware tokens, or mobile phones; 
• Something the customer is – biometric customer data, like fingerprint or voice recognition, or facial verification.

You should also consider dynamic linking, especially if you rely on card-based payment instruments. Through dynamic linking, the verification process must feature a link between the payment transactions and a payee and amount. 

Overall, SCA requirements are put in place to enhance payment security. However, exceptions are allowed with low-value transactions, recurring payments, trusted beneficiaries, low-risk payments according to transaction risk analysis, and corporate payments. 

The implementation of SCA depends on the type of payment method. For example, with bank transfers, a one-time password can be sent to the customer’s mobile phone. When using a payment card, authentication can take place via 3D Secure with token-based verification.

When it comes to reporting fraud to competent authorities, PSD2 guidelines take into account two main categories: unauthorised transactions and those resulting from the fraudster’s manipulation of the consumer.

These two categories can be split down further based on the types of payment services (money remittance services, payment initiation services, and more), the payment instrument and the reporting payment providers (both the card issuer and the merchant are allowed to report fraud).

The changes related to SCA

If you make transactions with a Chip and PIN machine or MO/TO payments, PSD2 will not affect you in any way. But this is where new developments step in.

In a few simple words, you will be asked to enter your PIN when making contactless payments with your Visa or Mastercard card in the following cases:

• You make a single transaction above EUR 50;
• You make consecutive contactless payments exceeding EUR 150 in total;
• You make five consecutive contactless payments and each one of them is below EUR 50 – during your 6th transaction your PIN will be required and upon entering it correctly the counter will be reset.

In all other cases, you will not have to enter your PIN until you bump into one of these requirements again.

Does PSD2 apply to debit cards?

Yes, if you collect payments via debit cards, PSD2 applies to your business. 

The new directive applies both to debit cards and other types of electronic payments. Just like with credit card payments, debit card transactions must oblige to SCA requirements. In other words, shoppers must go through several authentication phases.

How does PSD2 aim to enhance online payments?

PSD2 is designed to transform payments online and make online transactions easier than ever. It allows new services and enables shoppers to stay in control of their bank accounts via online banking. 

The derivative outlines the foundations for “open banking.” Rather than relying on the same rules as the original directive regarding electronic payments, it proposes new regulations for the exchange of financial information between banks and third-party providers (TPPS). It includes Fintechs, technology companies, major online retailers, and even social media platforms. 

Overall, PSD2 enhances the way we pay online by providing the following benefits:

• Less fraud – SCA naturally minimises chances of fraudulent payment in card-not-present transactions; 
• Trust – shoppers tend to have more confidence in using online payment services that are PSD2 compliant;
• Innovation – Open Banking and API integration allow for the creation of innovative payment services and products and more competition among third-party providers. This ultimately results in better pricing and higher quality for shoppers.
• Control and transparency – consumers can better control their financial data and can improve their financial management. In addition, PSD2 leads to a boost in transparency, enabling users to make better-informed decisions. 

All of these factors contribute to the creation of a stronger and more reliable payments market.

PSD2’s new rules will allow third parties to access banks’ data via open APIs. This data sharing will enable the birth of unique payment applications and services with added value for customers. 

In addition, PSD2 enables participation for new market players, such as Payment Initiation Service Providers and Account Information Service Providers. 

Thanks to PSD2, third party providers will be obliged to adhere to the same rules as traditional payment service providers. 

The way forward

Card transactions are the new norm for paying and getting paid, and we will continue to witness more innovations in favour of customer convenience and protection, so there’s nothing you should be worried about.

Again, PSD2 aims to improve security for end users like you, so now your card transactions will be better protected against fraud, card thefts, etc. All you need to do is enter your PIN more often, which should not be a problem at all.

The European Banking Authority provided a final draft of the regulatory Technical Standards on Strong Customer Authentication in 2017. Much has changed after the introduction of PSD2, with proposals to turn PSD2 into PSD2, introducing Payment Services Regulation.

So next time you are getting your favourite coffee don’t get startled if you are asked to put in your card PIN – it’s all to your benefit and part of the game.

Disclaimer: Please be aware that the contents of this article and the myPOS Blog, in general, should not be interpreted as legal, monetary, tax, or any other kind of professional advice. You should always seek to consult with a professional before taking action, since the particulars of your situation may materially differ from other cases.