What is PSD2?
PSD stands for Payment Services Directive. It’s an EU directive that was initiated by the European Commission to regulate both payment providers and payment services through the European Union and the European Economic Area.
PSD2 is an upgrade on PSD; the original directive that was introduced in 2007 to improve the security and functionality of online payments. PSD2 further develops upon security and protection, to combat the rise in sophisticated cyber-crime and covers three main areas: consumer protection, open banking and SCA (strong factor authentication).
PSD2 doesn’t just benefit customers. The new directive levels the playing field for payment service providers and also lowers the cost of payments making it much less competitive for merchants.
Why has PSD2 been brought in?
In a recent study, statistics showed that 59% of all card fraud in 2018 was conducted through ecommerce. 43% of business customers said they felt concerned about the threat of online fraud to their business and 47% of customers admitted to not hitting the ‘buy’ button because of security concerns.
These are staggering figures; testament to the fact that security needs to be tightened when it comes to online payments. The introduction of PSD2 tackles this need. Its main aim is to improve security for the protection of customers paying online.
PSD2 was brought into effect in September 2019 but centred largely around the consumer rights element. In September 2019 the SCA and open banking access directives were included, but the deadline for SCA compliance was later delayed because merchants weren’t ready. On 21st June 2019 the EBA announced concerns about the preparedness and compliance of payment service providers.
As a result, the FCA agreed to a roll out plan that would give all payment service providers until 14th March 2021 to be compliant. In the meantime, banks are still trying to get their heads around the new open banking directive where customer data is shareable.
So what does this mean for banking? Banks are now required to share their application programming interfaces (APIs) with third-party applications. However, there is still some ambiguity on how banks can do this safely to avoid breaches from cyber-criminals.
The pressure is on banks to protect the cryptographic keys used in authentication and ensure they cannot be accessed. Secure methods such as code obfuscation and debugging detection may help this, but we may see a rise in mobile banking that will allow banks to directly communicate with the end user before any third-party application has been permitted access to the data.
What are the Core Components of PSD2?
There are three core components of PSD2:
Consumer protection rights
Strong customer authentication (SCA)
Open banking – third party access
Consumer Protection Rights:
Under the new payment services directive consumers will benefit from even greater protection than before. Since 1999 we have had 3DS1 – a secure system that allows the cardholder’s bank to prove that the shopper attempting a purchase is the legitimate user of the credit or debit card, but with the rise of new technology and devices it has become clunky and time consuming, often requiring the user to remember passcodes on the spot. This has led to a lot of drop offs in the purchasing process.
3DS2 is a new authentication protocol under PSD2, designed to create frictionless payments that work more seamlessly on the different technologies that shoppers use. 3DS2 optimises the user experience by including more data elements between the merchant and issuer meaning less interruptions for the consumer. If the consumer is challenged, the issuer can customise authentication methods to the consumer’s preference. No data is exchanged without the user’s authorisation.
Strong Customer Authentication (SCA):
Where the card issuer and the acquirer are based in the European Economic Area (EEA), merchants are required to add Strong Consumer Authentication (SCA) to their payments.
Where card payments are involved the most common way to achieve SCA is through the adoption of 3DSv2. SCA uses two-factor authentication, where the user must confirm their identity in two different ways. With SCA it could be two from the following list:
Knowledge – something only user knows
Possession – something the user possesses
Inherence – something the user is
There are few exemptions to this where SCA is not required. These include:
Low value transactions of under £30
Recurring payments of the same value each time (SCA would only apply in the first instance)
Transactions via unattended terminals (ticket machines etc)
Contactless payments (under £30)
Merchant initiated transactions
From 14th September 2021 banks will decline any non-3DS transactions so the pressure is on for merchants to adapt.
As the consumer is given greater control and stronger protection over their financial data, banks are having to work hard to establish ways to protect it. This will require them to work together in a united approach to establish universal methods for securing API data and protecting their reputations. It’s a big change but one that ultimately seeks to maintain consumer spend habits in the online space.