PSD2 is data-driven legislation aimed at increasing competition, innovation, and transparency in the European payments market, as well as increasing the security of digital payments and transactions.
The Payment Services Directive (PSD), which was first adopted in 2007, serves as the legislative framework for the Single Euro Payments Area (SEPA). The Revised Payment Services Directive is known as PSD2. The '2' refers to the updated directive, superseding the original Payment Services Directive (PSD).
While the legislation presents direct challenges to banks by opening up data, it is also a directive that can work in banks' favor by updating systems, increasing collaboration, and improving fraud prevention and security platforms. In addition to data sharing, PSD2 allows third parties to initiate online payments directly from the payer's bank account via an online portal. This opens up new opportunities for online businesses in terms of convenience and costs in how they accept payments.
Why Is It Necessary?
In Europe, There is an Increase in Online Payment Fraud
Between 2011 and 2016, the European Central Bank (ECB) recorded a 66% increase in the card, not present fraud (online payment fraud), which was the primary reason for the 35% increase in fraud overall. Online fraud now accounts for 73% of all fraud in Europe, and it is steadily increasing.
API Economy Growth
APIs (Application Programming Interfaces) enable different systems to communicate with one another. APIs are critical to the success of companies such as Amazon, Google, Uber, Stripe, Braintree, and others, and they have aided in the development of entirely new business models, including fintechs. APIs will enable banks and payment systems to become more open.
New Unregulated Business Models
Since PSD1, the digital payments market has seen growth and innovation, with a slew of new fintech players. Until now, these new business types have not been fully regulated, and agreements have been somewhat inadequate. PSD2 will establish standards and structure, allowing these new businesses to access customer bank accounts.
The Importance of PSD2
PSD2 contributes to a number of changes in the payments industry, such as open banking, the creation of an integrated payments ecosystem, increased competition due to the emergence of fintechs and new entrants, and improved security and fraud prevention.
With payment integration and open access, addressing fraud is critical to protecting financial institutions and merchants. To stay one step ahead, businesses should look to set operational limits and maintain control over their fraud and payment strategies.
Improvements in fraud prevention and data access are great news for consumers, allowing merchants and other authorized parties to accept payments without redirecting to a third party (banks, in this case).
Banks, on the other hand, must work hard to ensure that their legacy systems comply with the new regulatory standards and that their systems have open APIs in place to ensure the reliability of third-party access requests.
The Goals of PSD2
PSD2's primary goals are as follows:
- Improve security.
- Encourage competition.
- Maintain technological and business-model neutrality.
- Contribute to payment integration in the EU Protect consumers.
- Encourage innovation while improving customer convenience.
- PSD2 is expected to result in significant changes in the accessibility of customer data to authorized third parties when the customer has provided explicit consent.
According to PSD2 legislation, "there is too much online fraud," and one of the derivative's goals is to improve consumer protection against fraud and strengthen security requirements through the use of strong customer authentication.
For the payments industry, this represents both a challenge and an opportunity. Getting it right is a win-win situation in terms of customer security, trust, and convenience. Security mistakes might have the opposite effect.
Differences Between PSD1 and PSD2
The PSD2 revisions are primarily intended to reduce large financial institutions' control over user data while increasing consumer rights. Here is who the impact of the changes;
- Customers: PSD2 will enable businesses such as Amazon to retrieve bank account information with permission. This is intended to help consumers streamline their online payment experience while also encouraging innovation.
- Brokerage firms: PSD2 requires banks and brokerages to be more transparent about the currency exchange rates they use to process online payments. They will also be prohibited from charging specific processing fees.
- Banks: Banks will need to implement advanced security controls because they are responsible for mitigating fraud risk. This includes analytics to validate the origin of inbound API calls as well as powerful tools for detecting fraud and cyber-attacks.
PSD2 requires banks, payment processors, and brokerages to reconsider how they approach customers and manage cybersecurity. While some of the same controls and principles apply from PSD to PSD2, there are a few significant differences.
- PSD2 broadens the scope of PSD1 by including new services and players, as well as expanding the scope of existing services (payment instruments issued by payment service providers that do not manage the payment service user's account), allowing them access to payment accounts.
- PSD2 also modernizes the telecom exemption by limiting it primarily to micropayments for digital services, and it includes transactions with third countries when only one of the payment service providers is located in the EU ("one-leg transactions"). It also improves cooperation and information exchange between authorities in the context of payment institution authorization and supervision. The European Banking Authority (EBA) will create a central register of payment institutions that are authorized and registered.
- PSD2 introduces enhanced security measures that must be implemented by all payment service providers, including banks, to make electronic payments safer and more secure. PSD2 specifically requires payment service providers to use strong customer authentication (SCA) as a general rule for electronic payment transactions. To that end, the Commission adopted rules outlining how strong customer authentication (SCA) will be implemented.
Complying With PSD2
Preparing for PSD2 will necessitate a few actions and procedures, depending on the type of your organization.
Begin Implementing MFA
Because Multi-factor authentication (MFA) is essential to PSD2, you should ensure that it is integrated in all of your apps, services, and platforms. This applies to any merchant, processor, or digital financial service.
Examine Your EU Operations
You should assess your operations for PSD2 compliance if you have business units in the EU or if you receive substantial traffic from Europe. This includes adopting MFA as described above, as well as complaint response methods in accordance with PSD2.
Increase Your Anti-Fraud Efforts
Though PSD2 security measures will likely make things like card-not-present fraud more difficult in Europe, you should brace yourself for an increase if your company is situated in the US. Make sure you establish effective firewalls and perform penetration testing. Becoming PCI-compliant will also help you prepare.
PSD2 enforcement is required by law for payment providers and banks. Customers' banks will reject non-authenticated payments, increasing decline rates and decreasing conversion rates for online businesses that do not meet the SCA requirements.
Noncompliance risks reducing transaction volume for both sellers and payment providers. However, non-compliance has more severe repercussions for payment providers. National regulators can levy fines and even revoke a payment provider's license. Unlike GDPR, no fines are specified, and because different EEA members are at different stages of implementation, fine amounts may also vary.