Internet use has grown exponentially in the past decades and has impacted our lives, especially how we make payments.
While these changes are welcome, they carry potential security problems that can wreak havoc on payments. To keep pace with the rapid evolution in the payment industry, the European Union revised the Payment Services Directive (PSD) to PSD2.
This guide explains what PSD2 is and what it means for consumers and merchants.
PSD2 is a European rule for electronic payment services. The original version was approved in 2007 to build a single market for payments in the European Union and European Economic Area. The directive made payment processing easier, allowing the entrance of new payment service providers.
In 2013, a proposal for PSD2 was published with the intention of:
These goals affect third-party access to customer account information and customer authentication. To improve customer protection, PSD2 has stronger requirements for online payments, including multi-factor authentication (MFA).
On the innovation and competition front, third-party players can now access consumer data from their financial institutions using APIs, provided they have customer consent. As a result, two new types of service providers were defined:
Payment Initiation Services (PIS) are simply online payments that include entering banking details to make online purchases. The PSD2 Directive forces banks to share customer data with authorized third-party payment solutions with customer consent. Consequently, new players – PISPs can enter the market.
PISPs function like intermediaries between merchants and financial institutions. They allow direct transfers (with consent) from a customer’s bank account to a merchant through APIs.
AIS is a key part of PSD2, which enables businesses and consumers to share information with third-party players.
With customer consent, Account Information Service Providers (AISPs) have access to their bank account data, including account balances, transactions, standing orders, and direct debits. With all this data, AISPs offer consolidated views of consumer payment accounts.
Although PSD2 gets rid of banks’ monopoly over customer account information, it doesn’t mean they are out of the game. PISPs and AISPs cannot operate as banks as there are services they cannot legally offer.
All companies dealing with electronic financial services need to be PSD2 compliant. They have to meet several requirements that vary depending on the business type to achieve this.
The entrance of third-party payment service providers adds entry points to transaction chains. While these entry points provide convenience, they are also potential weak points in transaction chains that fraudsters might exploit. To improve consumer protection and lessen fraud, PSD2 enforces SCA.
The key component of SCA is multi-factor authentication, where consumers should provide other independent identity confirmation methods. These methods include something a consumer is, knows, and owns, including fingerprints, PIN codes, and tablets.
However, some transactions in the EU or UK are exempt from SCA. These include:
PSD2 implementation was smooth for most parties, probably because sufficient compliance time was allowed. But even then, PSD2 adoption has impacted merchant operations in several ways:
It is challenging to ensure a great customer experience, and PSD2 implementation made it harder. Consumers value security, but they also value smooth delivery of service. Merchants are constantly struggling to develop ways to deliver frictionless experiences, especially since the new security requirements are prone to create friction.
SCA protocols are a good step in ensuring the protection of all parties involved. However, merchants have difficulty implementing these security requirements without negatively impacting the customer experience due to added friction.
According to the Fair Credit Billing Act in the US and Section 75 of the Consumer Credit Act in the UK, consumers have the right to charge back debit or credit card transactions. However, with PISPs, transaction disputes are different. Since they aren’t debit or credit card transactions, there’s no assurance the service provider will reverse the transaction amount in case of a dispute. As such, customers are wary of third-party payment solutions, which is bad for business.
Merchants transacting with consumers in the European Union are affected by PSD2 regardless of where they are located. For instance, merchants operating from North America must abide by some PSD2 regulations to acquire customers in the EU.
With the SCA implementation requirement for PSD2 compliance, many merchants turned to 3D-Secure 2.0 solutions. Although this worked, implementing too many safeguards simultaneously has side effects, including authentication failures.
Enhanced security is great, but it can lead to unnecessarily lost revenue. The original 3DS’s addition of friction to the checkout process led to many more abandoned shopping carts. The development of a “frictionless flow” for low-risk customers in 3DS 2.0 reduced revenue loss to abandoned shopping carts, but the problem still exists.
Regardless of how PSD2 upsets merchant operations, the directive is here to stay. To get ahead of the game, merchants have to change and adapt.
Transaction friction caused by PSD2 can be grouped into negative and positive friction. Positive friction creates reasonable fraud barriers with minimal impact on customer experience, while negative impact slows down transactions and leads to cart abandonment without necessarily reducing fraud.
Understanding the difference between the two and which to focus on implementing can help merchants remain PSD2 compliant without grossly affecting their bottom line.
Yes, SCA requirements under PSD2 add transaction friction, but with positive friction practices, merchants can be compliant while keeping lost customers to a minimum.
PSD2 regulations unwound the banks’ monopoly on customer data, opening the door for third-party payment service providers in the EEA payments market. The increased competition will foster the creation of new financial solutions beyond the payment industry.
For more information on PSD2 and other related topics, contact us or visit the Justt blog. As a leading chargeback mitigation solution, Justt can help you manage the volume of chargebacks that come through as you work to remain PSD2 compliant, while reaping a profit.
Ex-journalist and major fan of fintech and OSINT, I write regularly for leading industry outlets in finance and fraud prevention. Outlets I contribute to include Payments Dive, Finextra, and Merchant Fraud Journal, and I have been cited by PYMNTS.com
