What is PSD2, and How Will It Impact Merchants?
The European Union has revised its Payment Services Directive, updating the legal framework that governs payment service providers operating within the EU and the broader European Economic Area. The revised directive, known as PSD2, contains some provisions that merchants will want to take particular note of, as they will have significant implications for online banking and payment processing.
The PSD2 was launched in 2015 to strengthen consumer protections, promote innovation in the payments sector, and help unify the digital marketplace in the EEA.
While its regulations may not be applicable to merchants who don’t maintain a presence in European markets, any directive as far-reaching as this can potentially affect how merchants in other markets do business. For that reason, all merchants should be familiar with the changes PSD2 will be bringing about.
Strong Customer Authentication
For merchants, the aspect of PSD2 that will impact them the most is the new requirements for strong customer authorization. This requirement of the directive takes effect on September 14, 2019. After this date, issuers subject to the PSD2 may decline payments that do not meet the new authentication standards.
The PSD2 rules apply to all transactions that take place between issuers and acquirers that are both located within the EEA.
In January 2020, card networks may start fining merchants within the EEA that have not yet upgraded their payment processing methods to include strong customer authentication.
The language of the directive more or less equates “strong” customer authentication with multi-factor authentication. For most merchants, the easiest way to implement this is by utilizing 3-D Secure protocol for transactions.
Note, however, that PSD2 requirements do not apply to merchant-initiated transactions like recurring subscription billing (although the initial charge must be properly authenticated).
One of the most significant regulatory changes in PSD2 involves “open banking” and what retail banks are allowed to do with their customers’ current and historic transaction data. This may not directly impact most merchants’ business operations, but the implications for banks are huge, and this may alter the way many of us purchase and utilize financial service products.
Under PSD2, banks are required to make customer data accessible to third-party providers, if the customer grants permission for them to do so, via open application program interfaces.
This allows customers at both the retail and business level to give apps and other outside tools direct access to their banking information for services like financial planning, account management, payment automation, and anything else that might be useful.
Previously, banks had exclusive access to this information and were not required to open it up to third parties, even if the customer demanded it. This gave banks a huge advantage in selling their own financial services and digital tools to their customers, since they effectively had a captive audience.
A bank might see a large transaction hit a customer’s account and start pitching investment products or financial advice to them, and outside financial service vendors would have no way of reaching that customer.
Even if the customer sought them out, the bank could block them from providing integrated solutions by preventing them from directly accessing the customer’s account data.
This could lead to scenarios where you’re a customer of Citibank, but you manage your money and automatic payments through an app created by Amazon, without ever having to use Citibank’s apps or website. As you might imagine, this could dramatically change the face of retail banking.
American merchants, already reeling from adapting to the changes required by the recent Mastercard and Visa mandates, may be feeling relieved that the demands of the PSD2 aren’t falling on their heads.
But at this point, if you aren’t already using 3-D Secure or equivalent security protocols to reduce fraud, you’re doing yourself no favors—and this directive should serve as a reminder of the importance of staying ahead of the curve when it comes to protecting your business, and your customers, from fraudsters.
The knock-down effects of PSD2’s open banking directive are also likely to spread outside the EEA, especially if the big consumer tech companies see an opportunity in entering the financial and payment services industry.
Are we headed for a world in which the average person saves and invests their money with one company, but manages and accesses it with another?
Only time will tell. In the meantime, merchants must keep a close eye on these developments and be ready to adapt when necessary.