The rapid growth in the volume and types of electronic payments has led to significant changes in legal regulations in different parts of the world.
The European Union has brought a set of rules under PSD2, regulating electronic payments to ensure fair competition and adapt to ongoing market changes.
Today, every business that receives online payments from EU cardholders needs to know what PSD2 is and how it applies to their operations.
This article outlines how these new regulations affect merchants and which payment processing mechanisms they need to comply their operations in the EU with PSD2.
What is PSD2?
The PSD2 – the Revised Payment Services Directive – is a set of rules specifying access rights to consumers’ bank accounts by third-party payment service providers (TPPs).
It is the updated version of the EU Payment Services Directive (PSD), adopted in 2007, aligning EU electronic payment regulations with current technological advancements and ongoing market changes.
This directive has two main goals:
- To enable consumers to use their banking information more easily.
- To specify the rules under which banks can allow TPPs to access consumers’ account and payment data to carry out transactions.
This directive defines the security requirements for electronic payment processing and ensures the protection of consumers’ payment data.
The purpose of PSD2 is to ensure a high-level of payment transparency in the European Economic Area (EEA) and to protect consumers from fraud.
How Does PSD2 Work?
The main change that PSD2 has brought is that consumers have more control over their bank accounts. This means that banks don’t have exclusive rights to access this information anymore.
Under the new directive, consumers can grant access to their banking data to third-party apps (e.g., accounting apps) or any other digital tool that helps with payment automation, financial planning, invoicing, or any other financial service.
Note: PSD2 specifies that all third-party payment services providers must undergo the process of registration, authorization, and supervision by relevant institutions in each member state to carry out these services. This directive also defines the relevant bodies responsible for the supervision of their operations.
The new online payment system introduced by PSD2, also known as open banking, is intended to liberalize the online payments market in the European Economic Area by giving opportunities to new payment service providers and reducing the monopoly of traditional banks.
An Overview of PSD2 Consumer Protection and Security
PSD2 has introduced various advanced mechanisms and regulations for consumer protection and security that also benefit merchants. These changes are outlined below.
Regulation of Third-Party Payment Service Providers
Under PSD2, third-party payment service providers are eligible to access information from the consumers’ accounts in order to enable three new kinds of services:
- Account Information Services (AIS). Third-party entities may be allowed to access consumers’ bank accounts and collect relevant data to provide account information services. This means that if a consumer has several accounts in different banks, under PSD2, they can authorize a TPP – for example, a payment app – to access their bank accounts and aggregate the necessary data under the consumer’s app profile.
- Payment Initiation Services (PIS). Another benefit of PSD2 is that consumers can authorize third-party entities to initiate payments on their behalf from their bank accounts and provide consumers with different payment services, such as paying for goods and services online.
- Issuing card-based payment instruments. The new regulation allows TPPs to issue card-based payment instruments to customers. This means that banks must grant the issuing entity access to customers' account details and information on the availability of funds.
Note: PSD2 brings additional benefits to merchants. For instance, you can contact an AIS provider to gather relevant data about potential high-value consumers, such as learning more about their previous transactions and account balance information to assess their risk level. However, bear in mind that these requests and procedures must comply with the GDPR.
As a result of these changes, the EU member states had to pass legislation that prevents banks from blocking authorized third-party payment providers from accessing consumers’ bank accounts. If a consumer allows an authorized TPP to transfer money from their account, the bank must comply.
This regulation was put into force on September 14, 2019.
Clarification of Liability Issues
PSD2 defines potential liability issues between the account-servicing bank and the third-party payment service provider.
If an unauthorized transaction has not been initiated through a TPP, it is the bank or other account-maintaining party that must refund the consumer.
However, if the TPP is liable for an unauthorized transaction, it must refund the bank or the account-maintaining party at once.
PSD2 also brings a set of consumer protection measures.
When an unauthorized transaction occurs, the consumer must be refunded at once. If the consumer was unaware of a financial loss that occurred due to a data breach or stolen payment data, they’re not considered liable for the loss.
If a payment instrument is lost or stolen, the consumer can be considered liable for the maximum amount of €50, under the condition that they informed the payment service provider of the incident and that they did not intentionally behave in a fraudulent or negligent manner.
Consumers have the right to an unconditional refund for direct debits in Euros within eight weeks from the payment date.
The Surcharge Ban
PSD2 bans merchants from collecting additional fees for particular payment methods, whether using a debit or credit card, or direct transfer.
The surcharge ban is imposed when a consumer initiates an electronic transaction if both the consumer’s card issuer or bank and the merchant’s payment service provider are based in the EEA.
Even if the surcharge ban is not applicable and the merchant collects the surcharge, the charged amount must not surpass the cost the merchant incurs for accepting the payment method in question.
Security Requirements for Electronic Payments
The flexibility and competitiveness that PSD2 brings to the European online payments market come with additional security requirements to prevent fraud and data theft.
The major security innovation brought by PSD2 is the introduction of strong customer authentication (SCA), which uses multi-factor payment verification. Security is ensured by the use of a two-factor authentication process, as a minimum requirement. This authentication process is based on the following principles:
- Consumer’s knowledge. Consumer’s knowledge refers to a piece information only the cardholder knows, such as a secret question, card PIN, or password.
- Consumer’s biometric data. Consumers may be asked to provide biometric data. This can involve verifying the payment with face recognition, with a fingerprint or an iris scan.
- Something that the consumer owns. Entering an authentication code sent to the consumer’s mobile device or using one-time tokens are examples of using items that a consumer owns to ensure authentication.
These elements are meant to be mutually independent so that a breach of one verification method doesn’t compromise the use of other security methods.
PSD2 lists some exceptions from applying strong customer authentication. These are:
- Card-not-present transactions under €30. If a consumer makes a card-not-present payment of less than €30, strong customer authentication does not apply. Still, if the consumer reaches the €100-limit, carrying out four or more €30-transactions in a row, the authentication applies.
- Contactless payments under €50. If a consumer initiates a contactless payment of less than €50, strong customer authentication is not required by PSD2. If the consumer reaches the €150-limit, carrying out four or more €50-transactions in a row, SCA applies.
- Whitelisted parties. A consumer can contact their card issuing bank to whitelist certain recipients to whom they often send money and avoid strong customer authentication for such payments.
- Subscription payments. When paying a subscription, only the initial transaction request involves multi-factor authentication.
Identical account owners. In the case when the person initiating the bank transfer is also the account holder of the receiving account, then no SCA is required.
This use of SCA was put into force on September 14, 2019.
Technical Implementation of PSD2
PSD2 is not a set of technical standards but a set of legal regulations. As such, several initiatives have developed specifications for implementing PSD2. However, banks and payment processors are free to develop their own solutions as long as they are PSD2-compliant.
Banks and payment processors had to change their payment procedures to put PSD2 regulation into practice. Those that had not already implemented SCA, needed to adapt their existing payment authentication methods by introducing SMS-authentication codes and software tokens. Moreover, banks and payment processors have had to finetune their tech systems and procedures to enable exemptions from the imposed strong customer authentication.
Merchants, on the other hand, need to bear in mind that if they want to process payments in the EEA, they must work with a payment processor that complies with PSD2.
Note: As a global payment processor, CCBill is fully PSD2-compliant and has introduced new features that initiate strong customer authentication. Merchants processing payments with CCBill can rest assured that their European transactions are secured with SCA.
Regardless of the technical implementation of PSD2, the regulation is designed to allow consumers to authorize third parties to access their financial data and make payments on their behalf securely.
PSD2 is a framework that specifies the standards and rules for handling electronic payments in the European Union.
The definitions, features, and procedures explained in this guide will help merchants and consumers understand how PSD2 improves the electronic payments market and makes room for its further growth.