In recent months, there has been significant buzz around PSD2, the Revised Payment Services Directive designed by the European Union.
PSD2 was first introduced in 2015 (and has applied since January 2016), but members of the EU have had until January 2018 to implement it. By September 2019, merchants must ensure they’re compliant with the broader scope of the PSD2 rollout which includes Strong Customer Authentication (SCA).
So, What’s It All About?
PSD2 is a set of regulations slated to replace the original Payment Services Directive first issued in 2008. The directive intends to create a level playing field by standardizing, integrating, and improving payment efficiency in the EU.
The driving force behind both PSD2 and its predecessor PSD1, was to equalize the landscape between countries and between payment providers, with the end goal of increasing competitiveness and strengthening security for online customers. The intention here is ultimately to give consumers better value and usher in a new era of “open banking” wherein customers will have unprecedented freedom in how they access financial services. PSD2 essentially breaks the banks’ monopoly on their users’ data, giving online retailers the ability to retrieve customer account data directly from a customer’s bank - with the customer’s permission. The idea is to cut out the middleman completely, allowing the retailer to make payments on behalf of their customers, without ever having to redirect the user to another service provider.
With that idea in mind, PSD2 introduces two new types of authorized payment institutions, or what are deemed third party payment services providers (TPPs), in order to give customers more freedom and choices in how they manage their finances:
Account Information Service Provider (AISP)
AISPs provide aggregated account or available balance information on one or more payment accounts held by the payment service user.
2. Payment Initiation Service Provider (PISP)
PISPs initiate payment orders at the request of the payment service user with respect to a payment account held at another payment service provider.
Under the PSD2 regulations, fintech companies, merchants, banks and insurance companies can all become TPPs. In order to become TPPs and gain access to customer transaction and account information, companies need to obtain either AISP or PISP licenses.
By virtue of the fact that access to all of this private data will now be available to more players, the institution of PSD2 regulations means stricter rules to which all of these players will need to abide. The directive sets out rules concerning:
Strict security requirements for electronic payments and the protection of consumers' financial data, guaranteeing safe authentication and reducing the risk of fraud
The transparency of conditions and information requirements for payment services
The rights and obligations of users and providers of payment services
Improving Cyber Security in the Payments Space
These requirements for authenticating online payments are known as Strong Customer Authentication (SCA), an item housed within the broader scope of the PSD2 rollout, and perhaps the most impactful of the conditions contained within the regulations themselves. The intention of SCA is to better protect online customer data and to reduce online transaction fraud.
SCAs will apply to online payments specifically within the EU, in the event that both the customer’s card issuer and the payment provider for the business are located in the EU. The additional SCA security requirements will mean that customers must authenticate their identities using two of the following three options:
Knowledge - Something only the unique user would know (e.g. password)
Possession - Something to which only the user has access (e.g. mobile phone)
Inherence - Something the user “is” (e.g. fingerprint)
The SCA tenet of the new regulations intends to minimize online fraud. However, these increased authentication requirements injected into the payment process are likely to increase friction in consumers’ shopping experiences, and businesses will have to find a way to simultaneously add security measures while ensuring a streamlined customer journey.
Although the full impact of the PSD2 regulations are still relatively unknown, it is important to be aware of and prepared for their potential impacts.