The European Union (EU) implemented its second Payment Service Directive (PSD2) to mitigate the risk of fraud in online payments without negatively impacting the customer experience. The implementation of PCI DSS Compliance set forth the first of a series of standardized security requirements. There are a variety of new implications for merchants that are included in this directive, including the use of two-factor authentication and initiative to increase he number of third party payment providers.
Any company desiring to do business with a member of the EU will be required to implement these new directives before moving forward. For many merchants in the US, these are already standard protocols, so the process will be simple. However, these have not been customary in the EU, so those banks and merchants could see significant change in their daily business.
What’s great about this directive is that it’s driving innovation in the banking industry throughout the EU. The more innovation and competition, the better the services will be for consumers. Let’s examine the key elements of this directive.
Strong Customer Authentication
This is a process by which merchants are now required to protect consumers from potential fraud without making the payment process too cumbersome. It requires customers to offer two unique pieces of information that identifies them. These pieces of information can be any of the following:
Something they own, such as a mobile device or email address. With this type of authentication, the payment processor will send a code or link to a device that belongs to the customer and they have to click on the link or use the code to proceed with the transaction.
Something they know, such as a PIN number or the answer to a security question. In this case, the payment processor will ask for this information on the payment screen or terminal.
Biometrics, such as facial recognition or a fingerprint. This type of authentication will require the customer to be recognized by the payment processing device in order to complete a transaction.
Industry Standard Protocol
The current industry standard for this across the EU is a software called 3D Secure (3DS). There have been multiple upgrades to this software and more advancements likely to come. It can facilitate biometrics such as fingerprints and facial recognition, along with heightened security of mobile payments and digital wallets.
Exemptions to Strong Customer Authentication
There will be some types of transactions that are exempt from this directive. These transactions include low-value transactions and recurring or subscription payments. Transactions may also be exempt if a customer has “whitelisted” a company, or acknowledged them as someone they do business with on a regular basis. Merchants who want to take advantage of these exemptions will be required to implement 3D Secure 2.2 if they haven’t already.
Another major advancement that came to fruition during the rollout of this initiative is the use of Third Party Providers (TPPs) for payment services. This allows customers more control over their money, which had historically been controlled by the central banks. There are two types of providers that are key elements of this directive.
Payment Initiation Service Providers (PISP)
These providers obtain permission from the customer to initiate payments on their behalf. This is a huge shift from the traditional way in which consumers had to initiate payments throughout the EU. Instead of accessing their bank’s online portal, customers can use a variety of payment options, which allows flexibility and convenience.
Account Information Service Providers (AISP)
An even more radical shift in traditional banking protocols is the use of AISPs. These are entities that have access to consumer banking information, gained through accessing the bank’s API. Banks will be required to give API access to AISPs who request it.
Additionally, many AISPs can offer a comprehensive solution for customers to view all of their banking information in one platform. For customers who use multiple banks and account providers, this is a great convenience. They will be able to see their entire portfolio of accounts and have a more complete picture of their financial situation from one application.
Benefits of the Payment Service Directive
As with any new directive, there are some benefits and drawbacks to the PSD2. However, the EU believes that this directive is gaining momentum and sparking innovation in the banking industry.
Benefits of the PSD2
Reduced risk of fraud
More innovation and competition in the payment industry
Increased security as a result of SCA
Merchants have access to more consumer data, allowing them to target and serve them more efficiently
Customers can more easily access their own financial information, allowing them to plan, budget, and succeed in their financial goals
Risks of the PSD2
Reduced privacy for customers when sharing their banking information with entities other than their bank
Risk of phishing and misuse of personal data by parties with whom the data is shared
Potential fraud and hacking of the third parties with whom the information was shared
New opportunities for cybercriminals to present themselves as TPPs and coerce customers into giving up their personal data
The PSD2 has some definite risks and benefits associated with it. However, the benefits of more flexible payments and innovation in the payment industry, far outweigh the concerns of fraud. The innovation in the industry is addressing these potential threats and coming up with new solutions every day. Overall, this directive is allowing customers to have more control over their money and merchants from outside the EU to be able to do business with them more easily.