Explaining PSD2 and Its Effects on Merchants
Internet use has grown exponentially in the past decades and has impacted our lives, especially how we make payments.
While these changes are welcome, they carry potential security problems that can wreak havoc on payments. To keep pace with the rapid evolution in the payment industry, the European Union revised the Payment Services Directive (PSD) to PSD2.
This guide explains what PSD2 is and what it means for consumers and merchants.
What is PSD2?
PSD2 is a European rule for electronic payment services. The original version was approved in 2007 to build a single market for payments in the European Union and European Economic Area. The directive made payment processing easier, allowing the entrance of new payment service providers.
In 2013, a proposal for PSD2 was published with the intention of:
- Consumer protection and security in the payment industry
- Fostering innovation and competition to increase the creation of new payment technologies
These goals affect third-party access to customer account information and customer authentication. To improve customer protection, PSD2 has stronger requirements for online payments, including multi-factor authentication (MFA).
On the innovation and competition front, third-party players can now access consumer data from their financial institutions using APIs, provided they have customer consent. As a result, two new types of service providers were defined:
Payment Initiation Services Providers (PISPs)
Payment Initiation Services (PIS) are simply online payments that include entering banking details to make online purchases. The PSD2 Directive forces banks to share customer data with authorized third-party payment solutions with customer consent. Consequently, new players – PISPs can enter the market.
PISPs function like intermediaries between merchants and financial institutions. They allow direct transfers (with consent) from a customer’s bank account to a merchant through APIs.
Account Information Service (AIS)
AIS is a key part of PSD2, which enables businesses and consumers to share information with third-party players.
With customer consent, Account Information Service Providers (AISPs) have access to their bank account data, including account balances, transactions, standing orders, and direct debits. With all this data, AISPs offer consolidated views of consumer payment accounts.
Although PSD2 gets rid of banks’ monopoly over customer account information, it doesn’t mean they are out of the game. PISPs and AISPs cannot operate as banks as there are services they cannot legally offer.
All companies dealing with electronic financial services need to be PSD2 compliant. They have to meet several requirements that vary depending on the business type to achieve this.
PSD2 requirements for third party providers include:
- An AISP or PISP license
- Executing a customer identity and access management solution that facilitates:
- Identity proofing
- Knowing your customer
- Strong customer authentication (SCA)
- Create secure applications with well-defined access control and user consent
PSD2 requirements For banks and other account-holding institutions:
- Execute customer identity and access management solutions
- Develop APIs allowing third party institutions to access customer payment data
PSD2 Strong Customer Authentication Regulation
The entrance of third-party payment service providers adds entry points to transaction chains. While these entry points provide convenience, they are also potential weak points in transaction chains that fraudsters might exploit. To improve consumer protection and lessen fraud, PSD2 enforces SCA.
The key component of SCA is multi-factor authentication, where consumers should provide other independent identity confirmation methods. These methods include something a consumer is, knows, and owns, including fingerprints, PIN codes, and tablets.
However, some transactions in the EU or UK are exempt from SCA. These include:
- Fixed amount subscriptions. In this case, SCA applies to the initial transaction only.
- Low-risk payments, typically under €30
- Corporate payments
- Trusted beneficiaries like utility providers
- Transactions from saved cards
How PSD2 affects merchants
PSD2 implementation was smooth for most parties, probably because sufficient compliance time was allowed. But even then, PSD2 adoption has impacted merchant operations in several ways:
It is challenging to ensure a great customer experience, and PSD2 implementation made it harder. Consumers value security, but they also value smooth delivery of service. Merchants are constantly struggling to develop ways to deliver frictionless experiences, especially since the new security requirements are prone to create friction.
SCA protocols are a good step in ensuring the protection of all parties involved. However, merchants have difficulty implementing these security requirements without negatively impacting the customer experience due to added friction.
According to the Fair Credit Billing Act in the US and Section 75 of the Consumer Credit Act in the UK, consumers have the right to charge back debit or credit card transactions. However, with PISPs, transaction disputes are different. Since they aren’t debit or credit card transactions, there’s no assurance the service provider will reverse the transaction amount in case of a dispute. As such, customers are wary of third-party payment solutions, which is bad for business.
Merchants transacting with consumers in the European Union are affected by PSD2 regardless of where they are located. For instance, merchants operating from North America must abide by some PSD2 regulations to acquire customers in the EU.
3-D Secure 2.0 technology
With the SCA implementation requirement for PSD2 compliance, many merchants turned to 3D-Secure 2.0 solutions. Although this worked, implementing too many safeguards simultaneously has side effects, including authentication failures.
Enhanced security is great, but it can lead to unnecessarily lost revenue. The original 3DS’s addition of friction to the checkout process led to many more abandoned shopping carts. The development of a “frictionless flow” for low-risk customers in 3DS 2.0 reduced revenue loss to abandoned shopping carts, but the problem still exists.
Counteracting pitfalls and remaining PSD2 compliant
Regardless of how PSD2 upsets merchant operations, the directive is here to stay. To get ahead of the game, merchants have to change and adapt.
Transaction friction caused by PSD2 can be grouped into negative and positive friction. Positive friction creates reasonable fraud barriers with minimal impact on customer experience, while negative impact slows down transactions and leads to cart abandonment without necessarily reducing fraud.
Understanding the difference between the two and which to focus on implementing can help merchants remain PSD2 compliant without grossly affecting their bottom line.
Positive friction merchants can implement includes:
- Offering 3D Secure verification for cardholders
- Optional account creation
- Directing customers to verify orders before submission
- Using fraud screening tools like IP address verification and fraud detection software
- Requiring complex passwords for accounts
- Accepting payments that use biometric verification
Negative transaction friction includes:
- Limited payment methods
- Complicated, inconsistent, broken, and slow site navigation
- Not displaying shipping or cart total information when browsing
Yes, SCA requirements under PSD2 add transaction friction, but with positive friction practices, merchants can be compliant while keeping lost customers to a minimum.
PSD2 regulations unwound the banks’ monopoly on customer data, opening the door for third-party payment service providers in the EEA payments market. The increased competition will foster the creation of new financial solutions beyond the payment industry.
For more information on PSD2 and other related topics, contact us or visit the Justt blog. As a leading chargeback mitigation solution, Justt can help you manage the volume of chargebacks that come through as you work to remain PSD2 compliant, while reaping a profit. For more information, schedule a demo today.