Payment Services Directive 2 (PSD2)

What is PSD2?
The European Union’s second revision of the Payment Services Directive (PSD2) is a set of changes that regulates electronic payments throughout the EU.

The legislation’s key innovation is establishing a framework to make consumer banking data available (with consumer permission) to third parties such as retailers and financial technology companies. This allows non-bank parties (such as a retail merchant) to initiate payments without the intervention of traditional card brand networks.

In short, PSD2 creates a legislative framework that allows more ways to easily exchange payments more securely than ever before.
Why was PSD2 created?
PSD2 was established to stimulate competition, facilitate innovation, increase efficiency, enhance security and reduce fraud in the retail payment market.

The development of the original PSD could not possibly have envisioned the revolutionary changes in payment technology in the decade since its enactment. PSD2 accounts for the explosive growth of FinTech companies, dramatic global shifts by consumers toward eWallets, the rise of alternative payment methods such as bank transfers, and elevated expectations for consumer privacy.

Where does PSD2 apply?
The revised Payment Services Directive applies to any payment where the cardholder’s issuer and the acquirer for that transaction are inside the European Economic Area.
Who does PSD2 affect?
PSD2 impacts virtually everyone living or working in EU countries. If you are involved in the buying and selling of goods and services in the EU, P2D2 affects you. If you make a payment, receive payment, or are in any way involved in retail payments, P2D2 aims to make those processes transparent and safe.
Consumers, financial institutions, and the payments industry that binds them are all affected by PSD2. PSD2 legislation specifies rights and responsibilities for groups including:

  • Third party payment service providers (TPPs).
  • Payment initiation service providers (PISPs).
  • Aggregators and account information service providers (AISPs).

3D Secure 2.0 under PSD2

What is 3D Secure 2.0?
One of PSD2’s main points is that it will become mandatory for merchants to authenticate transactions. One way of fulfilling this criterion is by implementing 3D Secure.

3D Secure 2.0 is the newest update of the 3D Secure feature developed by EMVco, a company jointly owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay.

What are the benefits of 3-D Secure 2.0?
3D Secure 2.0 uses more contextual data than its earlier versions of 3D Secure, which leads to the following additional benefits:

  • Speeding up purchases for low-risk transactions
    The amount of contextual data exchanged between cardholder, merchant, and issuer is 10 times bigger than before.

    Examples of new contextual data used by 3D Secure 2.0:

    • Device information.
    • Service information.
    • Gift card information.
    • Timezone.
    • Screen height.

    Based on the contextual data, for low-risk transactions, issuers will be able to verify the identity of the cardholder without the authentication step.
    As a result, customers will spend 85% less time in the checkout process. The majority of transactions are considered by issuers to be of low-risk (95%).

  • Offering greater security for high-risk transaction
    For high-risk transactions, issuers will continue performing the authentication step.
    The contextual data will help issuers better understand the background of the high-risk transactions:

    • From what devices they usually take place.
    • The purchasing pattern of the cardholder.
    • During what hours do transactions take place in order to better detect potential fraud
  • Decreased cart abandonment
    Because of the contextual data, the authentication step may become unnecessary. This is said to lead to a proposed 70% decrease in cart abandonment.

Strong Customer Authentication (SCA) under PSD2

What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is defined as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These must be independent from one another, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.”
With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:

  • Reduce the potential for online fraud.
  • Reduce the cost of processing fraudulent transactions.
  • Increase cardholder confidence in using online services.
  • Comply with international regulations such as PCI-DSS and of course PSD2.
What is dynamic linking?
Dynamic linking is another concept which is a new requirement of PSD2. This involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction.
In the case of changes to the payment amount or payee, the authentication token will no longer be valid and a new one needs to be generated and used. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the previously required guidelines.

What types of transactions are covered under SCA?
The majority of online transactions will be covered under SCA. PSD2 has made it mandatory for service providers to facilitate SCA. If SCA has not been successfully utilised in the process, liability falls on the payment service provider. PSD2 requires SCA when the following situations arise:

  • Accessing payment accounts online.
  • Initiating electronic transactions.
  • Any action carried out through a remote channel that presents a risk of payment fraud.
  • Provisioning of information through a service provider (payment or information).

In almost all circumstances, Two-Factor Authentication (2FA) will become mandatory, with many scenarios requiring more than two security checks to help protect customers, merchants, and banks against online fraud.

What types of transactions will be exempt?
There will be a small amount of transactions which will be exempt from the new PSD2 regulations regarding SCA. These include:

  • Transactions made at unattended terminals for transportation and parking fees.
  • Contactless payments of less than €50, provided that the cumulative amount of previous consecutive electronic payment transactions without SCA doesn’t exceed €150.
  • Access account information consisting of a balance, or prior transactions made in the past 90 days.
  • Credit transfers between accounts held by the same person.
Need help?
Call our 24-hour helpline.
22 868 000 (FROM CYPRUS)
215 520 5600 (FROM GREECE)
Haven’t found what you’re looking for?