The revised payment service directive (PSD2) is an update of the existing PSD1, which was introduced in 2007 and provided a single market for making payments in the European Union (EU).
Soon after the introduction of the initial PSD, many new service providers introduced new ways to make online payments. As the open banking system gained recognition in the European market, small businesses and consumers engaged with new financial services and applications. Since the number of new players have increased, the EU has recognised the need for an update. PSD2 was implemented with an intention to enhance innovation and create competition in the banking sector.
This directive also aims to make online payments safer for customers, improve protection of consumer information, address payment fraud, and provide a common platform for competitors.
What is PSD2?
Under the PSD2 regulation, the banks are required to provide account information to third-party service providers (TPPs) with consent from account holders. This helps customers to:
1. Get a consolidated view of their account information through Account Information Service Providers (AISPs)
2. Initiate online payments through Payment Initiation Service Providers (PISPs)
Changes after PSD2
PSD2 builds on the previous version of PSD, incorporating the following changes:
1. ‘One leg out’ transactions: This refers to transactions where a payment service provider (either payer or payee) is outside of the EU. PSD2 will increase the scope for one leg out transactions, including cross-border payments in foreign currencies. Under PSD1, these transactions were out of scope.
2. Access to accounts (XS2A): PSD2 enables and regulates access to customer accounts based on consent. Under this regulation, the banks maintaining customer payment account information are compelled to give third-party providers (TPPs) secure access to customers’ banking information after getting the customers’ permission.
3. Preventing payment surcharges: PSD2 will ban surcharges on card payments made by the customer for transactions performed online or in shops. Surcharges were previously applied for online payments and specific sectors like the travel and hospitality industries.
4. Increased security for online payments: PSD2 increases security and improves the protection of consumer information by providing strong customer authentication. It also addresses the increase in online remote payment fraud by adding an extra layer of authentication.
Access to accounts (XS2A)
Access to accounts is one of the biggest technological innovations in the retail banking sector. It provides a channel for direct communication between the merchant and the customer’s bank. PSD2 uses XS2A to connect customers’ banks with third parties.
Under PSD2, financial institutions that maintain customer accounts are known as Account Servicing Payment Service Providers (ASPSPs).
With the customer’s consent, the ASPSPs maintaining customer accounts must provide Third-Party Payment Providers (TPPs) a secure way to access customer information.
PSD2 introduces two categories of TPPs: AISPs and PISPs. AISPs allow customers to see integrated information from various service providers. PISPs allow customers to initiate online payments directly from their personal bank accounts.
Use case 1: Account Information Service Provider (AISP) — An AISP is a third-party service provider that collects customers’ bank data, such as bank balance and transaction history, by gaining access to their account information from an ASPSP. It can even help a customer manager multiple bank accounts. Examples include Mint and MoneyDashboard.
Suppose that a customer wants to view their consolidated account information on MoneyDashboard, an AISP.
The customer interacts with the third-party information service provider, MoneyDashboard, through an authorised channel.
MoneyDashboard gets the customer’s account information from different banks via open APIs.
Once MoneyDashboard collects all the information, it reflects the aggregated data in the form of a dashboard and displays it to the customer in an innovative, valuable way.
Use case 2: Payment Initiation Service Provider (PISP) — A PISP is a regulated entity such as a bank or a third-party service that allows customers to make payments without accessing bank account information or credit cards. Examples include Sofort and Trustly.
Suppose that a customer is purchasing an item on Amazon and wants to make a payment online via Trustly.
The Amazon website takes the customer to the payment checkout page.
The customer consents to make the payment via the PISP, Trustly.
Trustly sends a payment confirmation to Amazon and simultaneously initiates a payment via an open API to the customer’s bank.
The customer’s bank debits the payment amount from customer’s account and transfers it to the merchant’s bank.
Based on the type of request, the customer’s bank then initiates a credit transfer or a settlement to the merchant’s bank.
So far we have seen how transactions are carried out by third parties. But how do we know that these transactions are happening through secure channels?
Open banking standards
The Competition and Market Authority (CMA), which is responsible for strengthening business competition in the UK, is securing the payment channels under PSD2 by defining data interface and security requirements. Information can now be exchanged via open APIs in a consistent format because CMA has adopted OAuth 2.0 and OpenID Connect as authentication and authorisation standards for open banking.
1. OAuth 2.0 is an open standard authorisation protocol that enables third-party applications to have limited access to user accounts. This is made possible using access tokens, which define the security parameters of a login process.
2. OpenID Connect is a widely used standard for one-time sign-ons. It has been successful because it provides simple JSON-based identity tokens, which, when delivered via OAuth 2.0 flow, enable resource exchange on web browsers and mobile applications.
Identity and access management (IAM)
Identity and access management (IAM) is a set of business processes that help in maintaining secure digital identities. IAM provides secure access to applications, services, and APIs for validated users. It is used by both financial institutions and third-party providers.
A secure user experience is important for financial institutions. With the increasing number of services and applications provided by third parties, customers expect a hassle-free login experience across all of the applications they use. IAM tools like multi-factor authentication and secure user directories can help to keep these logins secure. Customer consent for third-party access to user account information will need to be freely given in accordance with GDPR (the General Data Protection Regulation).
What is strong customer authentication?
Strong Customer Authentication (SCA) is an additional authentication process for card transactions. SCA involves three factors—knowledge, possession, and inherence—of which at least two must be used independently to verify the customers’ identities while making online payments.
Benefits of PSD2
For customers, complying with PSD2 will gain a holistic view of their finances, which will help them manage their spending. It will also give them a choice of how to make their electronic payments: to pay directly from their bank accounts, or to make payments from other sources in a secure way. Either way, they can avoid paying the surcharges associated with card-based payments. Compliance with PSD2 also ensures protection from fraud, which will be advantageous to both consumers and merchant businesses.
PSD2 allows merchant businesses to offer a wide range of payment options for their consumers. Increasing the numbers of choices for service providers increases the competition between payment service providers. When businesses get paid directly from payers’ accounts, they can reduce interchange fees.
The revised payment service directive (PSD2) was introduced with the intention to provide uniform grounds for the new players in the banking industry and to acquaint customers with new technologies. By adapting to this modern, IAM-centered banking approach, customers and third parties can share their information through secure channels. For consumers, complying with PSD2 will benefit from a more comprehensive view of their business finances, which will help them make wise business decisions and control spending.