PSD2 Regulation: What Are the Changes?
Designed by the EU and European Economic Area, the first Payment Services Directive (PSD) was adopted in 2009. The main goal was to promote EU-wise commerce by allowing non-banks to accept online payments. Years down the line, the industry and customer behavior changes created a need for an updated version — PSD2.
To avoid confusion and risks of being non-compliant, I found out from the Tranzzo payment provider experts what online merchants need to know about PSD2.
Why Do We Need PSD2?
The main objectives of PSD2 are:
- Strengthen the foundation for a consistent European payments market
- Create equal opportunities for payment service providers
- Broaden the framework of the existing regulations
- Enhance customer protection and the overall transaction security
- Decrease the costs for businesses by promoting fair competition
Key Changes in PSD2
The new regulations are aimed at enhancing payment security and transaction transparency. While the PSD2 contains various measures, some of them have a more significant impact on businesses.
Stricter Authentication
For card-not-present transactions, the PSD2 enforces strong customer authentication (SCA), i.e. two-factor authentication. Thus, if businesses want their customers’ banks to accept the transaction, there needs to be an extra step, namely 3D Secure — a three-domain model for card fraud prevention.
One of the downsides is that an additional action during payments, such as SCA, may cause a drop in sales. Also, this measure is as secure as the bank’s protection from electronic fraud and errors.
Exemptions for the SCA requirement include:
- Trusted sellers — beneficiaries can be whitelisted by users and not subject to SCA
- Recurring transactions — subscriptions or regular billings will only need to be authenticated once
- Low-value transactions — this exempts payments under €30; in some cases, such as every 6th payment, although banks may still require SCA
- Low-risk transactions — this includes cases when the provider has been deemed to have low fraud rates.
Payment Initiation and Account Information Service Providers
Banks are obliged to provide access to payment accounts to third parties: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).
The key points of PISPs are:
- Credit transfers are performed by third-party providers through their IT infrastructure/applications
- The rules apply in relation to payment accounts which are accessible online
- Contractual relations between PISPs and payment institutions cannot contradict the PSD2
- A payer must give explicit consent for the payment to be executed.
Prior to PSD2, the infrastructure of accounts servicing payment services providers (ASPSP), and the access to a payer account was limited to online banking websites/apps, branches and terminals. Now, it helps businesses develop, broaden or redesign their existing offerings by opening up these services to third parties.
Account information aggregation through AISPs poses certain risks:
- Perceived IT security flaws
- Possibilities of fraud
- Liabilities related to unauthorized transactions
Therefore, the rules must be matched with regulatory and market solutions — such as payments account directives (PAD), interchange fee regulation (IFR), anti-money laundering directives along with real-time payment, blockchain, etc.
Additions to the Registration Requirements
Organizations that provide payment transaction services will have to obtain licenses and become an EBA-authorized (European Banking Authority) institution. The authorization is granted by competent authorities varying from country to country.
The requirement to register covers the following natural or legal persons:
- Payment institutions
- Agents acting on behalf of payment institutions
- Branches of payment institutions in the Member States
- Electronic money institutions
- Account information services
The Aftermath of Non-Compliance
If companies missed the deadline by 14 September 2019, there are penalties laid out by the EBA. Also, organizations that neglect the rules could face an audit and prosecution by national authorities.
Yan Klochko, the CEO of Tranzzo, commented on another important implication of non-compliance:
“Online businesses that fail to apply the regulations in practice could be rejected by banks. Consequently, the purchases will not be able to go through, causing direct financial losses. By attempting to perform non-authenticated payments, businesses may lose considerable transaction volume”.
Challenges of Adopting PSD2
Adopting new regulations may not be seamless and organizations are facing certain obstacles on the way to becoming PSD2-compliant:
- PSD2 compliance requires businesses to identify trustworthy collaborative relationships
- In order to adapt to the change, businesses will have to coordinate different departments as well as products, services, and operations within the company
- Regulatory bodies may not have encompassing methods for verifying compliance
- Unclear specifications, in terms of IT and design changes, the process may be slowed down
- Businesses may have trouble communicating the new rules to customers
Even though PSD2 requires a multi-faceted approach, businesses have the capability to ensure a smooth transition for their customers. It should also be mentioned that these points will need to be taken into consideration in Europe as well as outside the EU.
Lastly, regulations and the interpretations of the directive may vary depending on the country. Therefore, some rules may remain uncertain unless approached on a case-by-case basis.
For businesses, it will be valuable to learn all the intricacies of PSD2. It will eliminate the possibility of misinterpreting the regulation and help you make sense of the payment processing rules.
