August 12th, 2019
What Is PSD2?
Payment Services Directive (PSD2), is a set of changes that regulates electronic payments throughout the EU (This will still apply to the UK, post-Brexit). The change is due to revolutionise the payments industry, affecting how customers make an online transaction, decreasing fraud and restructuring how a payment is processed.
In this article, we will be going into great detail about everything you need to know about PSD2 for your E-commerce website. From the key changes of the new regulations, all the way to the exemptions of Strong Customer Authentication.
Firstly, let’s dive into how the Payment Services Directive got to where it is today…
The History Of Payment Services Directive
The Payment Services Directive was first actioned in 2007, with the aim of laying a foundation within the EU single market to create a safer and more innovative payment service. With technology moving faster than regulations, it was certainly time for a new action to reduce payment fraud, especially in the case of cross border transactions.
The main objective of PSD1 was to:
- Make payments safer and more secure
- Protect consumers
- Commit to a more unified and dynamic European payments market
- Enhance the level playing field for payment service providers
In July 2013, the Payment Services Directive was revised. This revision included a proposal for a regulation on interchange fees for card-based payment transactions. This was called the Interchange Fee Regulation 2015/751. The main purpose of this was, merchants will no longer be allowed to surcharge consumers for using their payment card.
As part of the PSD1 revision, a new proposal for PSD2 was put on the table. Over two years later towards the end of 2015, the European Parliament and EU Council approved PSD2. From there, the new regulations were published in the official journal of the EU.
After many years of communications between major banking authorities and commissions, a due date for the PSD2 requirements was set. On the 14th of September 2019, new requirements for authenticating online payments will officially be introduced in Europe.
What Are The Key Changes Brought By PSD2?
Payment Services Directive 2 will cut down the monopoly that banks hold on their user’s data. Merchants will be allowed to retrieve customers account data straight from their bank. In simpler terms, when a customer makes a purchase online, rather than being redirected to Paypal, Visa, etc; the payment can be made directly from the merchant.
On top of this, PSD2 will require stronger customer authentication checks. These checks will significantly cut payment fraud; thus, making online purchases much more secure.
What Is Strong Customer Authentication?
Strong Customer Authentication has been used frequently for several years now; however, it is now a requirement introduced to reduce fraud. There are 3 types of authentication that will be commonly used across E-commerce websites. This is known as two-step authentication.
Something The Customer Knows
- This could be a password or a memorial answer that the customer has chosen themselves. An example of this is “What was the name of your first pet”.
Something The Customer Has
- This could be a phone, digital pin or hardware token. An example of this is a numerical code sent by text to your mobile.
Something The Customer Is
- This could be your fingerprint or face recognition. An example of this is on the Apple store when purchasing an application on your phone.
When a customer makes a payment and Strong Customer Authentication is required, they will have to complete one of three authentication requests. This will be chosen completely randomly, eliminating the chance of fraud.
Starting from the 14th of September 2019, banks will decline payments that require Strong Customer Authentication but do not implement the standards above.
When Will Strong Customer Authentication Not Be Required?
There are 6 key types of sales that will typically not require Strong Customer Authentication (SCA).
Payments That Are Below £30
Any payment below £30 will be seen as low-value and will, therefore, be exempted from SCA; However, there are two variables to this. Banks will need to request authentication if the exemption has been used five times since the cardholders last successful authentication or if the sum of exempted payments exceeds £100.
Some payment providers will have the authority to do a real-time risk assessment of the purchase in order to determine whether the transaction requires a two-step authentication.
In regards to subscription transactions that are a fixed amount, authentication will only be required on the initial payment. However, any additional/unexpected charges may need customer authentication to be renewed.
If card details are passed over the phone during a sale, this falls outside the scope of Strong Customer Authentication. Therefore, the cardholder’s bank will have to make the final decision about whether to accept or reject the transaction.
During the process of authentication, a customer may be able to opt the business into their whitelist. This will allow them to make purchases in the future without authentication. This list will be maintained by the cardholders bank or payment service provider.
This exemption will be able to cover payments that are made with “lodged” cards. An example of this is corporate cards that are used for employee travel expenses. This exemption can be requested by the cardholder to their bank.
How Does PSD2 Affect Your Business?
If you have an E-commerce store or any type of payment can be made on your website, PSD2 will directly affect your business. You may be thinking, what do I need to do?
Firstly, you need to become PSD2 compliant if you are not already. This should be done with your payment partner, whether it is SagePay, Apple Pay, PayPal, etc. It is worth knowing that is not a negative change to the payment word. PSD2 is bringing exciting new technologies that certainly open doors that will make it easier for customers to make a purchase; therefore, increasing your E-commerce conversion rate.
What If You’re Not PSD2 Compliant?
The Payment Services Directive is for banks and not for merchants; therefore, if a payment provider approves a transaction that is not compliant to the new regulations, the provider in question will be in violation.
However, it is unlikely for a payment provider to do this, instead what they will do is decline the payment on the website until the merchant upgrades to Strong Customer Authentication. This means that a loss in revenue could be achieved if not acted upon before the deadline of 14th September 2019.
How Can Brave Help You Prepare For Strong Customer Authentication?
With the deadline of PSD2 compliance closing in very fast, now is the time to proactively get in contact with your payment provider and optimise your methods of payment before the 14th of September!
We have smoothly assisted many of our E-commerce clients to become compliant with the new regulations, if you would like help to be prepared for PSD2, contact our E-commerce specialists today on 0845 544 3626 or get in touch by email!