What is PSD2
Getting your head around it...
eCAI advise on what you can do to ensure you are PSD2 Ready
What is PSD2 Getting your head around it…
eCAI advise on what you can do to ensure you are PSD2 Ready
What is PSD2?
PSD2 is the second of two Payment Services Directives from the European Commission, it regulates the provision of ‘payment services’ in Europe. PSD2 updates the EU rules set out in the Payment Services Directive adopted in 2007 (PSD), which provided the legal foundation for an EU single market for payments. PSD2 aims to give consumers greater choice and better protection when making online payments, it also seeks to open up payment markets to new entrants and specifies how financial institutions should monitor and prevent fraud for remote commerce. Further information on the directive and associated FAQ’s can be found on the Central Bank of Ireland website – https://www.centralbank.ie/regulation/psd2-overview/faq .
When does PSD2 start?
The regulations which transposed PSD2 into Irish law came into effect from 13 January 2018. The Final Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) were published in March 2018 and it’s those standards that come into effect on 14th September 2019.
What is SCA?
The RTS defines SCA as authentication through at least two out of the following three factors:
- Knowledge – Something only the user knows (e.g., passcode or PIN);
- Possession – Something only the user possesses (e.g., mobile phone or token);
- Inherence – Something the user is (e.g., fingerprint, facial, iris or eye vein).
The RTS require that the selected factors must be mutually independent in that the breach of one does not compromise the reliability of the other (Article 9 RTS).
SCA is required when the payer initiates an electronic payment transaction (Article 97 PSD2). Exemptions may apply (Article 98 PSD2).
What are Exemptions?
Article 98 of PSD2 details an important aspect of the RTS, where it details the set of exemptions that will apply in various circumstances. Utilising the range of exemptions will reduce perceived friction in your payment process.
Payments below €30
An exemption can be made where transactions are below €30, but SCA will be required when more than 5 transactions in a row have been made for values below €30 since the last SCA was given.
Transaction Risk Analysis
A Payment Service Provider (PSP) can run a risk analysis at the time of purchase to determine if the transaction is low risk. PSPs with low rates of fraud can then propose to bypass the SCA using this exemption. However, the card issuing bank will ultimately make the final decision, in the interests of protecting your business, as to whether SCA is required or not.
Recurring Transactions / Subscriptions
SCA will be required for first payments of a subscription/recurring payment, but subsequent payments can be exempt from SCA.
The customer can whitelist companies they trust, thus negating the need for SCA.
Mail Order Telephone Order (MOTO)
Card details taken over the phone or by mail do not require SCA.
Merchant Initiated Transactions
Merchant-Initiated Transactions are payments initiated by the Merchant without the
interaction of the payer. For example, if your phone company-initiated bills for recurring payments, not necessarily of the same value, but following a pattern. The initial set-up of an MIT will be subject to SCA.
Does it affect me?
If you buy and sell goods in the European Economic Area then PSD2 affects you. If you are selling online, you must make sure your payments procedures are PSD2 compliant. But also you should keep aware of new technologies that may enhance your payment choice and user experience.
What are the requirements online merchants should know about?
If you sell goods or services online, you will have a paywall of some type. In order to be ready for the September 14th, 2019 deadline, you will need to confirm if you currently use 3DS, your Payment Service Provider (PSP)/Gateway will be able to confirm this for you. If 3DS is not enabled for your ecommerce purchases, then you will need to engage your PSP/Gateway provider and your Website/App Developer to understand how they can assist you in getting your business ready for this new regulatory requirement.
What is 3DSecure?
EMV® 3-D Secure (3DS) is a messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases (www.emvco.com/emv-technologies/3d-secure).
3D Secure 1.0 was the original protocol, the next generation of 3DS is now here – version 2. This specification takes into account new payment channels and supports the delivery of industry leading security, performance and user experience.
Is SCA good for my business?
Absolutely, SCA aims to reduce fraud and increase consumer confidence in electronic payments… Your PSP/Gateway and Website/App Developer will be able to assist you with a solution that protects you and your customers from fraud while offering the best possible payment experience for your customers now and in the future. This enhanced security will drive consumer confidence and reduce the risk of cart abandonment.
When do I have to have the changes implemented?
The deadline for compliance with the RTS on SCA under the PSD2 directive is 14 September 2019. The Central Bank of Ireland has indicated that a limited migration period will be put in place from this date for ecommerce transactions only. They are currently engaged with the industry to develop a migration plan to implement SCA for ecommerce transactions. The exact timeline is yet to be announced, please refer to the Central Bank of Ireland website for the latest position – https://www.centralbank.ie/regulation/psd2-overview.
What if I don’t have the changes made?
If you don’t make the necessary changes and a transaction is processed without SCA or a relevant exemption flag, there is a risk that transactions will be declined by the issuing bank. The adoption of 3DS is therefore essential and will minimise the impact on your business by delivering industry leading security, performance and user experience.
Any updates on this position will be posted here on PSD2ready.ie or Twitter @PSD2ready