What is PSD2?
PSD2 is the second iteration of ‘Payment Services Directive’ (PSD), a European Union (EU) directive first introduced in 2007 to regulate payment services and payment service providers (PSPs).
PSD also allowed for better pan-European competition and participation in the payments industry while threatening to break-up the banking industry’s monopoly on facilitating secure online payments.
Primary Aims of the Payment Services Directive
· Dictated the rules and guidelines for modern payment services in the EU
· Simplified payment processing within the EU
· Aimed to promote competition by opening payments up to new entrants
· Improved payment efficiency, encourages innovation and reduces costs
· Provided the legal platform for the ‘Single Euro Payments Area’ (SEPA)
Payment Services Directive
The EU’s Payment Services Directive was a way of protecting consumers, merchants, and issuers from crime while establishing an industry wide standard for the online processing of payments.
Although the concept of online payments is a global phenomenon, companies must still adhere to the national policy when it comes to regulation.
Governments the world over are of course eager to reap the benefits of participating in this global payment system, however, they still have an obligation to protect consumers, merchants, acquirers, and issuers from online fraud; hence the need for a set
of universal (for the most part) directives.
In response to changes in online payment infrastructure, along with the numerous technological advances which have taken place in the last decade or so, the EU deemed it necessary to update the legislation back in 2016.
The updated directive requires that all participating states implement the new rules as national law by 13 January 2018 which is why the industry is becoming increasingly interested and potentially concerned about complying with PSD2.
PSD2: What’s Changed?
PSD2 is a substantial overhaul of existing regulations for the payments industry.
It aims to increase competition within the payments industry, bring into scope new types of payment services, enhance customer protection and security, and extend the reach of the Payment Services Directive.
Naturally, merchants, issuers, and acquirers, along with some particularly security-conscious consumers, want to know what’s changed and what’s been added to the original Payment Directive Services legislation.
Let’s start with a list of the key changes as these will be the most pressing for those wishing to ensure they are in full compliance with the new PSD2 regulations.
PSD2: Key Changes
-
Creates an equal playing field for payment service providers, enabling new third-party companies to get into the payments space; these Third-Party Players (TPPs) are divided into two classifications:
-
Extends scope of regulation beyond Europe partly by including what are referred to as ‘one leg out’ transactions
-
Promotes SCA (Strong Customer Authentication) by providing clarity on the use of emerging payment methods such as mobile payments, biometrics payments, 2FA (Two Factor Authentication), and OTPs (One Time Passwords)
-
Harmonises pricing and improves security of payment processing across the EU and beyond
-
Broadens the definition of the term ‘Payment Institution’
-
Prohibits card surcharges
-
Secures online payments and account access
Aside from these, PSD2 promises to standardise, integrate, and improve payment efficiency within the EU and beyond, thanks partially to ‘one leg out’ transactions which insist on PSD2 regulation being adhered to even when only one of the parties are in the
EU.
In a more general sense, PSD2 offers far superior consumer protection by insisting upon a higher level of authentication; for example, PSD2 mandates 2FA which has and will continue to make it incredibly difficult for criminals to impersonate consumers online.
Two Factor Authentication requires customers to provide a unique One Time Password – usually a code or string of numbers and letters sent to their registered email address or mobile device – as well as their password.
Other methods of additional authentication include biometric authentication – usually a fingerprint authenticated by their mobile device – or an onscreen QR code which must be scanned, again by a mobile device via apps such as Google Authenticator.
Finally, PDS2 promises to promote innovation in the payments space which will undoubtedly reduce costs for consumers and merchants alike.
PDS2 is fantastic news for the industry and, in my honest opinion, should be embraced with open arms.
3DS 2.0 & PSD2
Many are wondering how the introduction of PSD2 has and will continue to affect 3DS 2.0 (3D-Secure 2.0), the updated protocol which ensures safe and secure online transactions. First, let’s quickly recap 3DS 2.0.
3DS 2.0: Recap
3D-Secure 2.0 is the vastly improved and updated second iteration of 3D-Secure.
3D-Secure 2.0 aims to facilitate ‘frictionless shopping’ which incorporates the ease and speed of ‘old school’ transactions with the security of 3D-Secure by offering multi-factor authentication which, once set up, means transactions (even card-not-present
transactions) are simple and straightforward for consumers.
Additionally, merchants have the peace of mind of knowing they are not at risk.
So, the consumer is happy because the authentication process is straightforward and the merchant is happy because, if there are any issues with security/payment, it’s the acquiring bank, not them, that’s liable.
3DS 2.0: Key Benefits
-
Consumers want a convenient and secure service when carrying out e-commerce payments; 3D-Secure 2.0, along with the corresponding MPI and ACS technology, will provide these benefits, adding efficiency with little to no impact on applications and payment
gateways that customers are already familiar with.
3DS 2.0: How Does it Work?
3D Secure 2.0 is the future of online payment authentication; but how does it work? Let’s have a brief look at the technology behind the widely adopted protocol.
Please note: the basic three-pronged infrastructure remains largely unchanged since the original 3D Secure.
The protocol links the financial authorization process with the online authentication, usually via a popup window which prompts the user for a prearranged password tied to the card being used.
Other methods of authentication include the use of OTPs, i.e., verification codes which are sent, via text or email, to the user to provide an extra layer of security before a payment is processed.
This additional authentication is based on a three-domain model (hence the name).
The three domains are:
-
Acquirer Domain: the bank and the merchant to which the money is being paid
-
Issuer Domain: the bank which issued the card being used
-
Interoperability Domain: the infrastructure provided by the card scheme to support the 3D Secure protocol); this includes the Internet, MPI (Merchant Plug-in), ACS (Access Control Server) and other software providers
3DS 2.0: PSD2 Implications
So, we know that millions in Europe and around the globe are going to adopt the 3DS 2.0 protocol for its SCA (Strong Customer Authentication), its use of device information for risk based authentication, and its facilitation of ‘frictionless shopping’ for
consumers, greatly reducing cart abandonment rates (a problem with the old protocol).
3DS 2.0 has put a lot of pressure on Issuers.
The rise of fintech is fuelled by the fact that the technological world moves incredibly rapidly with exciting innovations waiting around every corner; this culture isn’t compatible with old institutions like banks.
Thanks to this innovative forward-thinking culture, fintech companies have successfully transformed themselves directly into ‘Acquirers’.
Now, unsurprisingly, we see the same thing happening on the ‘Issuing’ side, powered by increasingly sophisticated technology and the ability of global brands to reach out directly to consumers in ways which even banks operating locally struggle to do.
As governments have gradually caught up with the technological world of secure online payments, legislatures have and will continue to play a central role in moulding the future of the payments industry.
The new PSD2 regulations are an example of this shift in direction.
The good news is PSD2 does not require 3DS 2.0; 3DS 1.0.2 satisfies the requirements of PSD2 so, if you’re yet to take the plunge and update to 3DS 2.0 (which we highly recommend), you can still comply.
In addition, 3DS 2.0 promises to make the experience a lot easier, eliminating friction and allowing the provisions of PSD2, and the prevention of fraud to be achieved effortlessly by consumers, merchants and banks.
One of the most interesting implications of PSD2 for merchants (as touched upon earlier) is how it enables them to challenge banks and in effect bypass that step of the authentication process completely. Because of PSD2’s insistence on things like OTPs (One
Time Passwords) and 2FA (Two Factor Authentication), consumers will be able to grant merchants permission to approve online payments securely on their behalf by communicating with the ‘Issuer’ (bank) via a 3DS Server (a requirement when using 3DS 2.0).
Technically, it seems that PSD2 and 3D Secure 2.0 protocols can be combined. Banks can utilise the same ACS infrastructure to process SCA and eCommerce 3D Secure transactions at the same time. This can also be a driver for banks to upgrade to a 3D Secure
2.0 ACS.
If you've read this far, please also share your comments with me. I'd love to know your thoughts.