What is PSD2 and what does it mean?
PSD2 is an EU directive which enables bank customers to use third-party providers to manage their finances. This is done through APIs (application program interface), which allows third-parties to build financial services upon existing banks’ data and infrastructure. This means that banks will no longer be competing with just banks, but also with everyone who offers a financial service. This directive hopes to improve innovation, reinforce customer protection and improve the security of internet payments and account access within the EU and EEA (European Economic Area).
Implications:
Larger geographical reach and use all official currencies (except cryptocurrencies)
EPC SDD core scheme means there’s the unconditional right to a refund up to 8 weeks after purchase
Ban surcharging for most card payments (except those subject to the interchange fee)
In case of unauthorised payments, the consumer will not pay more than €50 (vs €150 before), except in certain situations such as fraud or gross negligence.
What kinds of websites need to take action?
Ecommerce websites need to ensure that they have 3DS 2.0 installed for their online transactions. This will ensure that the transactions will be smooth and many will not have to be authenticated via SCA, so the customers have an uninterrupted user journey. Also, ensure that two-factor authentication is set up and available, and inform your customers. Have a website banner explaining the changes. Send out emails before the changes.
Retailers also have to accommodate for the ban on surcharges. This means that all transactions must be free, regardless of how the customer is paying. The existing charges need to be offset so it is worth considering how to cover those costs.
Companies which offer a subscription service need to ensure that their subscribers go through the SCA process (see below), so it is advised to email the customer a couple of days before the payment and ask them to confirm the payment with their banks. This allows for the payment to go through quickly and smoothly.
What to look out for when registering with a third party:
- They must be registered with the EU
- They are regulated at EU level
- Know they can access bank account and all the information associated with it
- They need prior consent from the customer
What is SCA?
For electronic transactions to comply with SCA (Strong Customer Authentication), two or more of the following authentication procedures must happen:
Knowledge - something only the user knows (pin, security question etc)
Possession - something the user has (card)
Inherence - something the user is (fingerprint, voice recognition)
Extra element - a unique authentication code
When would SCA be used?
Used
First time using a website, beneficiary, third party etc
Every 90 days
Not Used
Below a certain amount of money
If a trusted beneficiary
If it’s a recurring transaction
Low-risk transaction
When does this come into force?
14th September
What is XS2A?
XS2A means Access to All Areas and places two types of payment which are coming under regulation for the first time: Account Information and Payment Initiation Services. This helps to make the process to be instant and free.
What is 3DS 2.0?
3DS 2.0 is an authentication protocol which allows issuing banks to verify card owners during the transaction process. 3DS prevents fraud and can limit the number of times SCA is needed through approving payments in real-time instantaneously whilst still ensuring the payment is secure. This can also create a frictionless user journey through the payment process because having to verify your identity twice may cause a loss of customers.
3DS 2.0 can be integrated with mobile payment processing and supports a seamless authentication process by sending push notifications or SMS unique codes etc so customers don’t have to remember passwords.
