Initially introduced in January 2018, the Payment Services Directive 2 (PSD2) has by now taken effect in the entire European Union in the local legislation.
Although not all of its requirements are in effect yet, PSD2’s biggest changes relevant for European online sellers are related to:
In 2007, against the backdrop of a continuously growing eCommerce market, the European Commission (EC) and the European Banking Authority (EBA) concluded that it was time consumers were offered a wider choice of secure payment services. Thus, the two regulatory bodies encouraged the rise of non-bank financial institutions that could provide the digital market with faster payment options, but at the same time ensure consumer protection and transaction transparency.
This is how the first Payment Services Directive (PSD) came into being. In 2015, in an eCommerce market dominated by increasing mobile usage and many new online payment methods, the EC decided to review and adjust the PSD to the current digital context, adding necessary improvements to ensure customer security. As a result, PSD2 came into effect on January 13, 2018, bringing clear changes and significant enhancements to payments industry regulations.
However, a new deadline is now looming for payment facilitators and online merchants – September 14, 2019, is the date on which they will have to be compliant with the Strong Customer Authentication (SCA) rules for fraud prevention and payments security. As we’ll see, this presents a significant challenge for all online businesses and could severely impact commerce in European Union countries.
The PSD2 requirements are based on three pillars:
Pillar 1 addresses transparency in terms of pricing, extended customer rights, and stricter reporting standards for financial Institutes. The pricing for financial services must be nondiscriminatory, meaning that charges for account access and payments initiation must be the same for both end customers and third parties. Pillar 1 applies to transactions where at least one party (“one leg out”) is in the European Economic Area (EEA).
Pillar 2 concerns security and fraud prevention, including requirements for strong customer authentication (SCA). This impacts all parties involved in the eCommerce payments flow.
Pillar 3 sets out the technology requirements through which banks must allow payment institutes to use their infrastructures (Open Banking) to access account data and initiate payments on behalf of customers. Banks are required to provide a secure testing environment (sandbox) to PSPs to support the ongoing development of services that rely on the banks’ systems.
Compliance with PSD2 is to be implemented in two stages: Pillar 1 (transparency) became effective on January 13, 2018, while Pillars 2 and 3 must come into force on September 14, 2019.
With digital commerce sales in Europe said to grow at a 17% CAGR until 2022 and digital fraud always evolving, the SCA requirements in the PSD2 are meant to bring new security and risk management to online payments via a 2-factor authentication (2FA) mechanism.
Strong Customer Authentication will apply to anyone “completing a payment in the EU.” It will be required for all customer-initiated online transactions (CIT) within Europe, which means most payment methods (contactless payments included) and bank transfers will be done with SCA. In the case of online payments, SCA will apply to transactions where both the business’ and the cardholder’s banks are located within the European Economic Area (EEA).
The implementation of SCA will be based on a 3-layer authentication method, of which at least two layers will be mandatory for customers:
For card-based payments, these requirements have led to the implementation of 3-D Secure version 2 – 3DS2 or EMV 3DS. The 3-D Secure method has been widely used by card issuers to secure online card transactions since 2001, but the new version has been developed to meet the PSD2 SCA requirements as well as minimize the negative impact of 2FA on the customer experience.
EMV 3DS is an evolutionary step from its predecessor and allows the card issuer (bank) to use a wider range of data-points from the transaction to run a risk-based analysis. For low-risk and low-value transactions (i.e. less than 30 EUR), the card issuer will not send any extra authentication requests to the cardholder. However, for all other customer-initiated transactions, the cardholder will be required to go through 2-factor authentication (2FA), whether via text (SMS), app push notifications, or biometric means (fingerprint, etc.).
3DS2 will be mobile-friendly, unlike its previous version, so it should display a responsive design easily adjustable to any mobile device. However, the implementation of all the user experience (UX) improvements to the authentication window will be up to the card issuing banks, so the front-end presented to card holders may vary depending on their bank.
Strong Customer Authentication requirements will also apply to alternative payment methods, but it’s important to note that many e-wallets or other mobile pay services already use multiple-step authentication.
From September, to be able to accept payments from the world’s largest card networks (Visa, Mastercard, AmEx etc.), any acquiring bank or card issuer in the European Economic Area (EEA) will need to have implemented 3-D Secure version 2 for their online store. Payment Service Providers (PSP) and merchants may also be impacted, depending on how they have set up their payment mechanisms. EU-based merchants and their clients will be the first in the spotlight since under the current provisions SCA applies only to “two-leg” transactions – i.e. if both parties to the transaction are in the EEA.
Unfortunately, one study has shown that up to 75% of European merchants are not aware of the PSD2 SCA deadline and what they need to do to be compliant. Furthermore, 86% of them did not support multiple-step authentication at the time of the survey. That gives cause for concern since a lack of compliance will expose companies to various penalties as well as severely impact their authorization rates – payments will simply not be authorized if they are not secured with SCA.
Here’s the impact we expect if the Strong Customer Authentication requirements are in fact implemented properly across all online payments:
This technological upgrade in the financial ecosystem will most likely stimulate a growth of omnichannel commerce with a focus on mobile, but also increased subscriptions, given the transparency of the renewal process under the new rules (subscribers will be informed and asked to re-authenticate for payment at any change in the recurring billing amount or period).
If you sell online in Europe, this is what you should keep in mind to make sure you can offer the best experience to your customers and keep your business afloat after the September PSD2 deadline:
All the above regulations are part of the PSD2 update that will change the way the whole online payments ecosystem functions, from card associations through issuing or acquiring banks to payment facilitators, merchants and finally shoppers. They are targeting increased security for online transactions and will primarily affect the way acquirers and issuing banks manage user authentication under 3-D Secure version 2. Alternative payment methods will also be affected by these changes, but due to their more secure nature, the implementation should be easier in those cases.
Merchants should prepare for the September 14, 2019 changes by planning for the least disruptive payment and authentication methods, so as to continue to provide a good customer experience and minimize order abandons or failed authorization requests.
If you want to learn more about PSD2 and what it means for merchants and payment facilitators, including a deep-dive into details like SCA exemptions, Transaction Risk Analysis (TRA), recurring billing requirements, and more, sign up for our upcoming webinar on August 28 – All you need to know about PSD2 and Strong Customer Authentication if you sell online.