What is PSD2, and How Does It Impact Merchants?
Table of Contents
- PSD2 Customer Authentication Requirements
- What is Open Banking?
- The Bottom Line on PSD2
- What Does PSD2 Mean?
- What Is the Purpose of PSD2?
The European Union has revised its Payment Services Directive, updating the legal framework that governs payment service providers operating within the EU and the broader European Economic Area. The revised directive, known as PSD2, contains some provisions that merchants will want to take particular note of, as they will have significant implications for online banking and payment processing.
The Payment Services Directive was launched in 2015 to strengthen consumer protections, promote innovation in the payments sector, and help unify the digital marketplace in the European Economic Area (EEA).
While its regulations may not be applicable to merchants who don’t maintain a presence in European markets, any directive as far-reaching as this can potentially affect how merchants in other markets do business. For that reason, all merchants should be familiar with the changes PSD2 will be bringing about.
PSD2 Customer Authentication Requirements
For merchants, the aspect of PSD2 that will impact them the most is the new requirements for strong customer authentication. This part of the directive took effect on September 14, 2019. After this date, issuers subject to the PSD2 may decline transactions that do not meet the new authentication standards. While declining such transactions isn't mandatory, it's crucial for any merchant doing any business in the EU to understand these requirements to avoid causing themselves problems in the future.
The PSD2 rules apply to all transactions that take place between issuers and acquirers that are both located within the EEA.
As of January 2020, card networks may also fine merchants within the EEA that have not yet upgraded their payment processing methods to include strong customer authentication.
The language of the directive more or less equates “strong” customer authentication with two-factor authentication.This form of authentication requires customers to provide two of the following three kinds of identity confirmation: Something they have, something they know, and something they are.
Something they have is typically a device, usually a phone, although a previously-authorized computer can also fulfill this requirement. Something they know might be a password or PIN. Something they are typically means a fingerprint, a common method of authentication for mobile transactions.
Note, however, that PSD2 requirements do not apply to merchant-initiated transactions like recurring subscription billing. The initial charge when a customer signs up must be properly authenticated according to the new standards. However, subsequent merchant-initiated transactions with the same payment information aren't subject to the increased authentication requirements.
Certain low-value transactions are also exempt from the authentication requirements. Furthermore, customers have the option to whitelist merchants they do business with often to exempt that merchant from conducting the strong customer authentication process each time they make a transaction. Merchants can claim these exemptions through the latest version of 3D Secure.
What is Open Banking?
One of the most significant regulatory changes in PSD2 involves “open banking” and what retail banks are allowed to do with their customers’ current and historic transaction data. This may not directly impact most merchants’ business operations, but the implications for banks are huge, and this may alter the way many of us purchase and utilize financial service products.
Under PSD2, banks are required to make customer data accessible to third-party providers, if the customer grants permission for them to do so, via open application program interfaces.
This allows customers at both the retail and business level to give apps and other outside tools direct access to their banking information for services like financial planning, account management, payment automation, and anything else that might be useful.
Previously, banks had exclusive access to this information and were not required to open it up to third parties, even if the customer demanded it. This gave banks a huge advantage in selling their own financial services and digital tools to their customers, since they effectively had a captive audience.
A bank might see a large transaction hit a customer’s account and start pitching investment products or financial advice to them, and outside financial service vendors would have no way of reaching that customer.
Even if the customer sought them out, the bank could block them from providing integrated solutions by preventing them from directly accessing the customer’s account data.
These changes could lead to scenarios where you’re a customer of Citibank, but you manage your money and automatic payments through an app created by Amazon, without ever having to use Citibank’s apps or website. As you might imagine, this could dramatically change the face of retail banking.
We've already seen a proliferation of financial services apps thanks to the implementation of PSD2, and more are likely on the way. With direct access to users' banking information these apps could handle payments, take care of bills, monitor and categorize spending, or offer customized investment suggestions. As you might imagine, some customers will still be hesitant to open up their banking data to a third party at first, so it may take some time for these kinds of apps to really catch on, but if past digital innovations are any indicator, it likely won't be long before giving apps access to your banking data is something most customers are entirely comfortable with.
The Bottom Line on PSD2
American merchants, already reeling from adapting to the changes required by the recent Mastercard and Visa mandates, may be feeling relieved that the demands of the PSD2 aren’t falling on their heads.
But at this point, if you aren’t already using 3-D Secure or equivalent security protocols to reduce fraud, you’re doing yourself no favors—and this directive should serve as a reminder of the importance of staying ahead of the curve when it comes to protecting your business, and your customers, from fraudsters.
The knock-down effects of PSD2’s open banking directive are also likely to spread outside the EEA, especially if the big consumer tech companies see an opportunity in entering the financial and payment services industry.
Are we headed for a world in which the average person saves and invests their money with one company, but manages and accesses it with another?
Only time will tell. In the meantime, merchants must keep a close eye on these developments and be ready to adapt when necessary.
What Does PSD2 Mean?
What Is the Purpose of PSD2?