What is PSD2 and how will it impact the way merchants take payments?


Thurs April 12 2018

The new EU Payments Services Directive (PSD2) took effect on 13th January 2018, bringing in new laws aimed at improving consumer rights.

However, some of its more disruptive regulations are still working their way through the EU Parliament and won’t come into force until September 2019 at the earliest.

It can all be a bit confusing, so let us give you a brief overview of what PSD2 entails and when its various elements take effect.

What is PSD2?

PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007.

This legislation established an EU single market for payments to encourage the creation of safer, more innovative payment services. PSD’s authors also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within a member state.

PSD2 builds on the previous legislation in three areas:

  • Increased consumer rights in areas including complaints handling, new rules on surcharging and currency conversion.
  • Enhanced security through SCA (Strong Customer Authentication) criteria.
  • Enablement of third-party access to account information, providing a framework for new payment and account services.

Let’s look at those three elements in more detail.

Enhancing customer rights

PSD2 seeks to improve customer rights in a number of ways.

1. Transparency

Terms and conditions are clear and transparent, enabling customers to make an informed choice.

The regulation also mandates greater transparency around currency and exchange rates at the point of sale. Products like dynamic currency conversion are within the scope of this requirement.

2. Complaints

PSD2 requires payment providers to resolve complaints in a timely and appropriate manner. For example, it states that payment providers must respond to certain complaints (e.g. those where a customer is out of funds) within 15 days.

3. Reporting

As part of the new regulations around complaints, PSD2 stipulates how incidents must be reported, whether that be customer complaints, incidents of fraud, system down time, or something else. There are now clear timeframes that dictate how providers have to report incidents to the relevant authority.

4. Earmarking of funds

Another important point relates to the earmarking of funds. PSD2 requires card issuers to make funds available to customers as soon as the final amount is known.

To give an example, in some sectors (e.g. car rental or hotels) a pre-authorisation amount might be taken to confirm a booking. In this instance, an estimated amount will be earmarked or ring-fenced in the customer’s account before the final amount is confirmed at a later date.

When the final amount is confirmed, there is an obligation for the merchant to inform their acquirer who must then instruct the issuer to release those funds. This ensures that the open-to-buy balance is released to customers at the earliest possible opportunity.

5. Surcharging

The final part of PSD2 that aims to improve consumer rights is the prohibition of surcharges on certain consumer card transactions, adding to the existing IFR (Interchange Fee Regulation) that came into force in June 2015.

The products affected include consumer credit cards, debit cards, and pre-paid cards, with surcharging banned on those products across the EU.

Commercial cards aren’t necessarily subject to the same rules on surcharging. EU member states are able to legislate against surcharging on commercial cards if they choose – France, Italy and Sweden are among the countries who have gone down this route. The UK has decided to allow surcharging on commercial cards, alongside Germany and the Netherlands.

Reducing fraud and enhancing security

PSD2’s new SCA (Secure Customer Authentication) requirement will have a big impact on the way merchants take payments from customers. It introduces a two-factor ID requirement for certain transactions, potentially creating additional friction at the checkout.

In order to make a payment, customers will be required to provide two forms of ID from the following three options:

  • Knowledge: something only the customer knows, such as a PIN or password.
    Possession: something only the customer has, such as a mobile phone or payment card.
    ​Inherence: something unique to the customer, such as their fingerprint.
    ​In the first draft of PSD2 this two-factor process was applied to all transactions, however the payments industry has successfully lobbied for certain exemptions.

The full list of exemptions is set out in the Regulatory Technical Standards, including:

Face-to-face contactless payments: this includes single transactions under €50, with a maximum cumulative value of €150 or five transactions.

Online payments: single transactions must be less than €30, up to a maximum of €100 or five transactions.
Transaction risk analysis: a transaction can be exempted from SCA if it is “low risk”. This exemption is subject to certain requirements and conditions being met.

Corporate payments: this includes ‘secure virtual payments’, such as virtual cards or B2B cards. The transaction must be initiated by a legal person (e.g. a business) rather than a consumer. Whitelisting: consumers can whitelist merchants so that all future transactions with that merchant do not require additional security checks.

Recurring payments: this refers to recurring payments made to the same merchant for the same amount.

During a recent PSD2 webinar, Barclaycard’s director of international payments, Paul Adams, discussed the level to which online transactions would be affected by the SCA requirements.

Prior to PSD2 97% of online transactions were frictionless due to risk analysis done behind the scenes by dynamic engines linked to services like Verified by Visa and Secure Code. Based on the new criteria introduced by PSD2, Paul suggested that around one in ten online transactions will need to go through two-factor authentication.

Open Banking

One of the aspects of PSD2 that has gained most attention is third-party access and Open Banking.

These created a requirement for the biggest nine UK banks to release APIs that will enable third-party providers – known as AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) – to access bank accounts and create entirely new, independent services.

As with other elements of PSD2, the aim here is to give consumers greater visibility and control over their finances.

Open Banking is already in place, but the wider roll out to other accounts and services will take longer and the majority of the requirements don’t take effect until September 2019. While we don’t yet know exactly what these products will look like, we can offer broad definitions of the services they will offer.

PISPs

PISPs are digital services that enable a push payment directly from a customer’s bank account to a merchant. Put simply, it’s like a simple pay button for an ecommerce transaction with the PISP providing the link between the customer’s bank account and the retailer.

The idea is to remove the need for a card, creating a new payment experience for consumers. Currently it only really relates to ecommerce transactions, it doesn’t yet translate to face-to-face purchases.

AISPs

AISPs are consumer services that aggregate a person’s financial data in one place. For example, you could consent to allow a comparison site to aggregate all your bank account information, loans and other financial products, giving you a better view on your spending and the option to switch if better rates are available.

PSD2 timetable

A majority of PSD2’s requirements became law on January 13th 2018, including those relating to enhancing consumer rights and surcharging.

However, the SCA requirements and third-party access framework don’t come in to force until September 2019. The European Commission published the final Regulatory Technical Standards relating to these two elements in November 2017 and the European Parliament has until February to either approve or reject it.

If the RTS is approved it will be another 18 months until the new laws are applicable, meaning the SCA and third-party access rules will likely come into force in September 2019.

 

Want to accept card payments?

Call us

If you need to speak to an advisor, give us a call on:

0800 096 8199

 

Request a call back

Fill in some details and we'll call you back