articles

All about PSD2: what merchants should know

Business is not all about developing products and growing your brand. Some things don’t come to mind at first but are crucial. We’re talking rules and legislation the company must abide by to see their business live long and prosper, so to say. 

Merchants from the EU know what it’s about, as they have to deal with both GDPR and PSD2. And speaking of the latter, the PSD2 compliance is on the front burner. You see, in less than two months, the EU companies are expected to fully implement the strong customer authentication, which is a part of this EU directive. 

So, it seems that now is a good time to look back at what the PSD2 is all about, and what strong customer authentication entails.

EU’s Revised Payment Services Directive (PSD2) – what’s that

It all started with the first Payment Services Directive implemented by the European commission in 2007 to better regulate the single EU payments market. It was aimed at enabling more secure and efficient cross-border payments with more transparent fees. But as the industry has been growing and evolving, it was time to update the regulation to go hand in hand with rapid digitalization.  

Enter the Revised Payment Services Directive, replacing the original directive in January of 2018. The EU directive covers two main things: the encouragement of technological upgrades through Open Banking, and the security improvement of online payments.

Open Banking allows Third-Party-Providers (TPPs) like Fintech companies to access the banking data of cardholders to provide more advanced and user-friendly financial services. 
This enables great possibilities for traditional banks and Fintechs collaboration. As the former bring their regulatory status and reliably to the table, while the latter offer better technical solutions, which are more customer-oriented. In other words, the banks, Fintechs, and cardholders all gain something from this alliance. 

Meanwhile, to complete the payment security upgrade, businesses should start using strong customer authentication (SCA). The process requires customers to pass an extra level of verification when buying things online. More on that in the next section.  

SCA – strong customer authentication 

The SCA is the part of the Revised Payment Services Directive the merchants should regard the most. The regulation is aimed at making online purchases as safe as possible by reducing the possibility of fraudulent transactions.

Keeping up and updating security tools is the companies’ top priority when dealing with customers’ money and financial data. Not only to keep your reputation trustworthy but no to cross the chargeback threshold. 

The SCA entails a double authentication of a customer. To do that, the buyer needs to verify two out of three things. These things are:

  • Something a person knows – refers to a password or other type of code;
  • Something a person has – a phone or an app, to get an OTP/ approve the authentication request;
  • Something a person is – a biometric data like a fingerprint or an face recognition;

Most of the transactions are expected to meet the SCA requirements, but there might be exceptions. Keep in mind, that even if the payment falls under one of the categories listed below, the card-issuing bank still can request strong customer authentication:

  • The subscription-based payments. You only need to pass the SCA when you first enter your payment details, monthly payments happen automatically;
  • Buying things under 30 euros. If the purchase is cheaper than 30 euros, the customer is likely to miss out on the SCA, but only if it wasn’t 5 transactions since the last SCA or the sum of previous exemptions isn’t over 100 euros;
  • Merchants you trust. If there is a company person deems reliable, they can whitelist it to make purchases without strong customer authentication;
  • Merchant Initiated Transactions (MITs). These happen when initiated by a merchant, and a cardholder is not present. MITs are only possible if the customer has allowed the merchant to initiate the payments on their behalf. In this case, the customer’s financial data is saved during the first transaction, and then used for the MITs;
  • Transaction risk analysis. Some payment service providers can analyze transactions and decide upon whether or not to use SCA based on PSD2’s requirements;

PSD2 compliance date

The Revised Payment Services Directive went into full effect on September 14th, 2019. But since then, the final deadline for SCA implementation had been postponed several times. 

As of November 2020, the SCA compliance deadline for merchants from the European Union is December 31, 2020. And Great Britain has time till 14 September 2021. 

Still, considering all the events happening in 2020, we won’t exclude the possibility, that the final date of compliance will be pushed back to a later date. Besides, not all merchants are ready to change. According to the latest research by Amadeus published in October, only around 33% of surveyed travel firms confirmed they will be SCA compliant until December 31st. The research also revealed that the pandemic has set SCA programs back by around six months.

So how can merchants get ready for the new era in EU payments? Find out in the following section. 

PSD2 compliance: what merchants need

What companies need is to update the technical tools which allow them to accept payments on their websites. The most common solution for that is a 3D Secure protocol version 2.0, aka 3DS2. 

Established almost 20 years ago, the 3D Secure protocol allows for a double authentication of a customer. In 2016, the protocol was updated to its 2.0 version to eliminate existing issues, as well as cover all the necessary bases for the SCA. 

For instance, 3DS2 is integrated with mobile devices, which is crucial for online purchases nowadays. The latest version of a protocol uses one-time-passwords and biometric data for authentication, making the payment process faster and more seamless. Unlike its predecessor, 3DS2 gathers 10 times more (150) data points during the transaction evaluation, making it easier to detect fraud. 

Overall, 3D Secure 2.0 is a good basic instrument that reduces fraud and chargebacks, as scammers will require the cardholder’s phone or biometric data in addition to stolen card to complete the purchase. There is also a liability shift – if the fraud-related chargeback occurred, but a person used 3DS2 for verification, the liability shifts from the merchant to the issuing bank.

GDPR and PSD2: the difference between them

PSD2 and GDPR often come up together in conversations. No wonder, as GDPR is yet another regulation from the European Union. But what’s the difference between them?

General Data Protection Regulation (GDPR) is digital privacy legislation that sets guidelines when it comes to the collection and processing of personal data of people from the European Union. The goal is to protect people’s data from frequent breaches and fraud, as more and more of our personal information ends up online and may be used with malicious intent. 

Even if your company operates outside the EU, you still should abide by GDPR, if you sell any products/services to EU citizens. 

Thus, GDPR and PSD2 seem to have some contradictions, as the former restricts the personal data from being shared by other parties, while the latter encourages data sharing through the Open Banking. The European Data Protection Board provided their guidelines on the interplay of the Second Payment Services Directive and the GDPR, which you can find here

As mentioned before, the Revised Payment Services Directive is something each party, which is a part of payment processing, can benefit from, including banks, Fintechs, customers, and merchants. 

Speaking of the latter, it’s not enough for a company to have its security in check – finding a reliable financial institution is crucial as well. Genome is a PSD2 compliant Electronic Money Institution, which provides banking services completely online. With us, you can start a personal, business, or merchant account with fast onboarding and minimal documentation. All our clients’ funds are secure with Covery anti-fraud platform services. 

And right now, Genome has our virtual and physical debit cards are ready for pre-order. Available for both personal and corporate needs, you can use virtual cards for online shopping, and physical ones for paying on the go – within the EU or abroad, wherever you like. Check out Genome’s website for more information.