Q. What is PSD2? How does it differ from PSD1?
The revised payment service directive (PSD2) is an update of the existing PSD1, which was introduced in 2007 and provided a single market for making payments in the European Union (EU).
Under the PSD2 regulation, banks are required to provide account information to third-party service providers (TPPs) with consent from account holders. This helps customers to:
- Get a consolidated view of their account information through Account Information Service Providers (AISPs)
- Initiate online payments through Payment Initiation Service Providers (PISPs)
PSD1 established a legal foundation for a single market for payments. Reports say that PSD1 had brought substantial benefit to the European economy by providing customers with multiple safer options for making payments. One of the main objectives was to make cross-border payments a possibility. PSD1 ensured more transparency and information, like execution time and fees.
Q. Where does PSD2 apply?
This directive is applicable for payments taking place within the European Union. The directive aims to make electronic payments a possibility, as it’s considered cost-effective and caters to economic growth. Payment methods such as cash and checks do not fall within the scope of this directive.
Q. What are the objectives of PSD2?
PSD2 is an update of the rules drafted by the European Union while implementing PSD1. Some of the main objectives of PSD2 are as follows:
- Work towards an integrated payments market
- Provide a level playing field for payment service providers
- Enable secure channels for making online payments
- Ensure protection of customer information
Q. What are the Regulatory Technical Standards?
Under PSD2, regulatory standards specify the following:
- requirements for strong customer authentication (SCA)
- SCA exemptions
- security attributes that protect the confidentiality of client credentials
- need for common and secure open standards of communication between different PSD2 players (ASPSP, TPPs, payers, or payees)
Q. What is 3D Secure 2.0?
3D Secure (3DS) is the most common method for authenticating an online card payment, and many European cards support it.
3DS adds an extra step after the payment checkout where the customer’s bank asks the cardholder to provide extra information to complete the payment. For example, the bank requests its customer to enter a one-time password (OTP) that is sent to their mobile device to complete the payment through the banking app.
3D Secure 2.0 is the updated version introduced in 2019, and it complies to the new SCA requirements.
This new version provides a better customer experience because it doesn’t rely solely on OTPs for customer authentication but instead allows multiple SCA options, including biometrics. It even supports all payment methods—in-app, mobile, and digital wallets.
Q. Will PSD2 apply to all international payments?
PSD2 is predominantly applicable for two-legged transactions where the payer and the payee are both in the EU region.
However, PSD2 has also made ‘one leg out’ transactions possible. Under PSD1, these transactions were largely out of scope. A ‘one leg out’ transaction occurs when one of the payment service providers (either the payer or payee) is outside the European Union. If the merchant is from outside the EU and the payer is from the EU, the merchant need not comply to PSD2 regulations.
The regulation is also applicable for transaction in foreign currencies (i.e. any other currency other than the Euro).
Q. Who are third party providers?
Third party service providers (TPPs) are payment institutions which provide payment solutions and services to customers. They provide account information services using AISPs, where third parties collect customer information from different banks and present it in the form of a dashboard. TPPs also provide payment initiation services via PISPs. PISPs aid in use of online banking for making internet payments.
Q. What does AISP mean?
AISP stands for Account Information Service Provider. It is a third-party service provider that collects customers’ bank data, such as balance and transaction history. It gains access to this account information through an Account Servicing Payment Service Provider (ASPSP). An AISP can help a customer manage multiple bank accounts. Examples include Mint and MoneyDashboard.
Q. What does PISP mean?
PISP stand for Payment Initiation Service Provider. It is a regulated entity such as a bank or a third-party service that allows customers to make payments without accessing bank account information or credit cards. Examples include Sofort and Trustly.
Q. How much access will PISPs and AISPs have regarding my bank account or my payments?
Bank account transactions cannot be accessed by AISPs and PISPs at will. There is also no risk of that information going public. AISPs can access customer information only after a customer provides consent using strong customer authentication (SCA). Likewise, PISPs can only initiate payments on behalf of customers after they authorize. Information sharing or payments cannot happen without a customer, and someone cannot do this by accidentally clicking on something as the authorization information is present only with the banks. No one can authorize on behalf of someone else, be it banks, AISPs, or PISPs.
Q. What is SCA and how does it work?
SCA stands for Strong Customer Authentication. It is an extra authentication step where the customers have to verify their identity before information exchange takes place between financial institutions and third parties. It is the basis for PSD2 regulations on authenticating online customer payments.
According to SCA regulation, the customer must verify his identity by fulfilling a minimum of two conditions from the following categories.
Knowledge: Something that the customer knows; like a password or PIN.
Possession: Something that the customer owns; like a phone.
Inherance: Something the customer is; like fingerprint or face recognition.
Q. Are SCA and 2FA same?
2FA stands for two-factor authentication. It is not the same, but 2FA satisifies the requirements for SCA since the customers have to fulfill a minimum of two of the three conditions.
Q. Will all payments require SCA? Are there exceptions?
SCA is not required for all transactions. Payment service providers can request for these exemptions when they process customer transactions. Once the request is sent to the customer’s bank, it will assess the risks involved in the transaction and decide whether to approve the exemption or retain the authentication process.
Following are the exemptions while implementing SCA:
Remote low-risk transactions: A payment provider can check for the fraud rates of a customer’s bank and payment provider’s bank to decide whether to apply the SCA to a transaction.
Low value transactions: If the transaction value is below €30, it will be considered ‘low value’ and will be exempted from SCA. However, there are certain conditions which come along with this exemption. Banks will ask the customer for authentication in the following cases:
- When the exemption has been used by the card holder five times since their last SCA authentication
- If the total of previously exempted payments is more than €100.
Recurring payments: SCA on fixed amount subscriptions can be avoided when the customer makes payments of the same amount recursively. For the initial transaction, the customer maybe asked to verify their credentials using SCA. However, for the consecutive transactions the SCA step can be exempted.
Transactions initiated by merchant banks: Sometimes customers make transactions using saved cards. In such cases, it is not necessary for the customer to be present, and these payments are voluntarily initiated by the merchant banks. The transactions which come under this category are exempted from SCA. To use merchant-initiated transactions, the customer must verify the card at least once, either while saving the card or while making their first payment.
Whitelisted businesses: While making payments, the customers may have an option to whitelist trusted businesses to avoid the authentication step while making future purchases. In such cases where the customer enlists trusted beneficiaries, SCA can be skipped.
Corporate payments: SCA exemption holds true for payments made via lodge cards. For example, when an online travel agent uses a corporate card to manage employee travel expenses. SCA can also be avoided for those transactions where the payments are done using virtual card numbers.
Q. What happens when a payment is processed incorrectly?
Payments will be processed only if the customers clear the additional authentication step (i.e. Strong Customer Authentication). Otherwise, the payments will be declined.
Q. Since it is an EU regulation, will it still apply for the UK after Brexit?
Yes it will. PSD2 is a new law introduced in the UK. So, irrespective of what relationship the UK shares with the EU, PSD2 will still be in effect.