What is PSD2 and how will it impact the way merchants take payments?
This article gives an overview of the EU Payments Services Directive (PSD2), which brings in new laws aimed at improving consumer rights and enhancing online security. To find out how we can support your business, call our payment experts on 0800 096 8237*
PSD2 follows on from the original Payment Services Directive (PSD), which was adopted by the EU in 2007. This legislation established an EU single market for payments to encourage the creation of safer, more innovative payment services. PSD’s authors also aimed to make cross-border payments in the EU as easy, efficient and secure as payments within a member state.
PSD2 builds on the previous legislation in the following three areas, which we'll look at in more detail:
Enhancing customer rights
PSD2 seeks to improve customer rights in a number of ways.
Terms and conditions are clear and transparent, enabling customers to make an informed choice.
The regulation also mandates greater transparency around currency and exchange rates at the point of sale. Products like dynamic currency conversion are within the scope of this requirement.
PSD2 requires payment providers to resolve complaints in a timely and appropriate manner. For example, it states that payment providers must respond to certain complaints (e.g. those where a customer is out of funds) within 15 days.
As part of the new regulations around complaints, PSD2 stipulates how incidents must be reported, whether that be customer complaints, incidents of fraud, system down time, or something else. There are now clear timeframes that dictate how providers have to report incidents to the relevant authority.
4. Earmarking of funds
Another important point relates to the earmarking of funds. PSD2 requires card issuers to make funds available to customers as soon as the final amount is known.
To give an example, in some sectors (e.g. car rental or hotels) a pre-authorisation amount might be taken to confirm a booking. In this instance, an estimated amount will be earmarked or ring-fenced in the customer’s account before the final amount is confirmed at a later date.
When the final amount is confirmed, there is an obligation for the merchant to inform their acquirer who must then instruct the issuer to release those funds. This ensures that the open-to-buy balance is released to customers at the earliest possible opportunity.
The final part of PSD2 that aims to improve consumer rights is the prohibition of surcharges on certain consumer card transactions, adding to the existing IFR (Interchange Fee Regulation) that came into force in June 2015.
The products affected include consumer credit cards, debit cards, and pre-paid cards, with surcharging banned on those products across the EU.
Commercial cards aren’t necessarily subject to the same rules on surcharging. EU member states are able to legislate against surcharging on commercial cards if they choose – France, Italy and Sweden are among the countries who have gone down this route. The UK has decided to allow surcharging on commercial cards, alongside Germany and the Netherlands.
Prior to PSD2 97% of online transactions were frictionless.
Reducing fraud and enhancing security
PSD2’s new SCA (Secure Customer Authentication) requirement will have a big impact on the way merchants take payments from customers. It introduces a two-factor ID requirement for certain transactions, potentially creating additional friction at the checkout.
In order to make a payment, customers will be required to provide two forms of ID from the following three options:
- Knowledge: something only the customer knows, such as a PIN or password.
Possession: something only the customer has, such as a mobile phone or payment card.
Inherence: something unique to the customer, such as their fingerprint.
In the first draft of PSD2 this two-factor process was applied to all transactions, however the payments industry has successfully lobbied for certain exemptions.
The full list of exemptions is set out in the Regulatory Technical Standards, including:
Face-to-face contactless payments: this includes single transactions under €50, with a maximum cumulative value of €150 or five transactions.
Online payments: single transactions must be less than €30, up to a maximum of €100 or five transactions.
Transaction risk analysis: a transaction can be exempted from SCA if it is “low risk”. This exemption is subject to certain requirements and conditions being met.
Corporate payments: this includes ‘secure virtual payments’, such as virtual cards or B2B cards. The transaction must be initiated by a legal person (e.g. a business) rather than a consumer.
Whitelisting: consumers can whitelist merchants so that all future transactions with that merchant do not require additional security checks.
Recurring payments: this refers to recurring payments made to the same merchant for the same amount.
During a recent PSD2 webinar, Barclaycard’s director of international payments, Paul Adams, discussed the level to which online transactions would be affected by the SCA requirements.
Prior to PSD2 97% of online transactions were frictionless due to risk analysis done behind the scenes by dynamic engines linked to services like Verified by Visa and Secure Code. Based on the new criteria introduced by PSD2, Paul suggested that around one in ten online transactions will need to go through two-factor authentication.
One of the aspects of PSD2 that has gained most attention is third-party access and Open Banking.
These created a requirement for the biggest nine UK banks to release APIs that will enable third-party providers – known as AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers) – to access bank accounts and create entirely new, independent services.
As with other elements of PSD2, the aim here is to give consumers greater visibility and control over their finances.
Open Banking is already in place, but the wider roll out to other accounts and services will take longer and the majority of the requirements don’t take effect until September 2019. While we don’t yet know exactly what these products will look like, we can offer broad definitions of the services they will offer.
PISPs are digital services that enable a push payment directly from a customer’s bank account to a merchant. Put simply, it’s like a simple pay button for an ecommerce transaction with the PISP providing the link between the customer’s bank account and the retailer.
The idea is to remove the need for a card, creating a new payment experience for consumers. Currently it only really relates to ecommerce transactions, it doesn’t yet translate to face-to-face purchases.
AISPs are consumer services that aggregate a person’s financial data in one place. For example, you could consent to allow a comparison site to aggregate all your bank account information, loans and other financial products, giving you a better view on your spending and the option to switch if better rates are available.
...the aim is to give consumers greater control and visibility over their finances.
A majority of PSD2’s requirements became law on January 13th 2018, including those relating to enhancing consumer rights and surcharging.
However, the SCA requirements and third-party access framework don’t come in to force until September 2019.
What’s your Strong Customer Authentication strategy?
Like all regulation, Strong Customer Authentication (SCA) brings new challenges. But with the right strategies in place, merchants can be compliant, help reduce fraud and offer secure payments. For more information, see our whitepaper: Demystifying the payment landscape: PSD2, SCA and the security challenge.
Speak to our payment experts today
0800 096 8237