PSD2 - Are You Ready For The Change?
The upcoming PSD2 changes due to be effected in September 2019:
PSD2: What is it? Summary:
The Second Payment Services Directive (“PSD2”) is a revised EU Directive on Payment Services that has seen implementation stages. It affects our everyday lives both as consumers and as businesses engaged in payment services, since the PSD2 relates to the legal framework on card-based transactions. Certainly, the PSD2 had caused a lot of discussion and worry at the time, but has already given a lot to the industry and has now much more to offer, changing in a way banking as we know it!
As of 14th September 2019, the next stage will come into force (with the UK also being affected, regardless of the impact of Brexit!) and applies to all online transactions where both the payment service provider and the payer’s bank are located within the European Economic Area (EEA), although arguable whether where only one is based in the EEA, PSD2 should still be complied with.
The main thrust of the new stage is to implement two-factor authentication for online payments above the value of €30: adding an extra step to payment verification requirements. This extra step will ensure that online payments are more secure; reduce the risk of payment fraud; and emphasize security and innovation. The two-factor authentication is also referred to as “Strong Customer Authentication” or “SCA”, for short. This is certainly going to be a term that we will all soon be very well familiar with, as the PSD2 will start taking over our everyday lives!
How will the SCA work?
Businesses typically use one authentication method for card payments and bank transfers, allowing for instant payment and/or access to account details. SCA will end this one-step process.
Now, only when a payer has been verified using two of the following authentications will SCA be satisfied and a payment be authorised:
1. knowledge (i.e. including passwords, card details, PINs, passphrases or secret answers); and/or
2. items in possession of the payer (typically mobile phone Apps, smart cards or tokens); and/or
3. inherence – perhaps better described as an “identifying characteristic”, so fingerprints, facial recognition, voice patterns, DNA and signature etc
Will SCA apply to every transaction?
In short, “no”. The European Banking Authority has defined the exemptions to the SCA requirement in the following circumstances:
Low risk transaction
If a transaction through a real-time risk analysis is deemed to be low risk, SCA may not be required. However, complex conditions are imposed as merchants have to rely on a payment service provider (PSP) (e.g. an acquirer) to act upon their exemption request. The PSP must however, satisfy the additional prescribed conditions.
Payments below €30
Card transactions below €30 are considered ‘low value’ and are generally exempt from SCA. However, if the customer initiates more than five consecutive ‘low value’ payments or if the ‘low value’ payments exceed €100, SCA will be required.
When a customer makes a series of payments to the same merchant for the same amount (such as subscriptions and membership fees), the initial payment will require SCA but subsequent payments will be exempt from SCA.
Nevertheless, payments made periodically to the same payee where the value changes each time (e.g. a utility bill) will not benefit from the exemption.
When a transaction is initiated by a business rather than a consumer, and it is processed through a secured dedicated payment protocol, it does not require SCA provided that alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.
Customers will have the option to ‘whitelist’ a merchant that they trust once the first SCA authentication is completed. The customer’s bank will maintain this ‘whitelist’ and subsequent transactions to a whitelisted merchant are likely to be exempt from future SCA.
However, issuers can still reject, challenge or request SCA to a ‘whitelist’ request if there is a high risk of fraud.
Card details collected over the phone do not fall within the scope of SCA. The customer’s bank will have the ultimate decision to accept or reject the transaction.
In a Nutshell:
Worth noting that, like so many laws at EU and national level in recent times, this is all about enhancing consumer protection. This newest element of PSD2 is deliberately designed to increase security measures for online transactions and aid the development of payments. However, the day-to-day impact of the SCA will have some drawbacks which are almost impossible to avoid:
• Ιncrease of IT costs to businesses as they adapt their systems to make sure all will run smoothly.
• Increase of the likelihood of declined payments generally, especially in the early days. Customer Services need to be ready to explain and be patient with consumers!
• Increasing difficulty for banks to differentiate themselves in the market for offering loans, as non-banks take over the customer interaction.
So, here comes the question again: Are you ready for the change? That is, are you ready for the next stage, moving from banks to banking?