PAYMENT SERVICES DIRECTIVE 2
Payment Services Directive 2 (PSD2)
The purpose of the Directive is to provide the legal basis to a further development of a unified internal market for payments within the European Union, making them equally simple, effective, safe and transparent.
- Make it easier and safer to use internet payment services.
- Better protect consumers against fraud, abuse, and payment problems.
- Promote innovative mobile and internet payment services.
- Strengthen consumer rights.
- Strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft technical standards.
Consumers, financial institutions, and the payments industry that binds them are all affected by PSD2.
PSD2 legislation specifies rights and responsibilities for groups including:
- Third party payment service providers (TPPs).
- Payment initiation service providers (PISPs).
- Aggregators and account information service providers (AISPs).
3D Secure 2.0 under PSD2
EMV 3D Secure is the newest update of the 3D Secure feature developed by EMVco, a company jointly owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay.
- Being able to exchange 10x more data than 3DS 1.0 to allow for more informed authentication and authorization decisions.
- Performing risk-based authentication or frictionless authentication to allow cardholders to be passively authenticated.
- Improving end-to-end transaction processing time by limiting the authentication cycle to one.
- Enabling state-of-the-art authentication methods, such as biometrics, for stronger two-factor authentication.
- Supporting new payment needs on any device, such as in-app and mobile payments.
- Supporting additional use cases, for example, card on file, wallets, and tokenization.
- Eliminating the need for consumer registration while shopping.
Strong Customer Authentication (SCA) under PSD2
With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:
- Reduce the potential for online fraud.
- Reduce the cost of processing fraudulent transactions.
- Increase cardholder confidence in using online services.
- Comply with international regulations such as PCI-DSS and of course PSD2.
In the case of changes to the payment amount or payee, the authentication token will no longer be valid and a new one needs to be generated and used. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the previously required guidelines.
Is the transaction out of scope of SCA? There are four key out of scope transaction types:
- Merchant Initiated Transactions (MITs): Where a cardholder has pre-agreed (and pre-authenticated) a future transaction(s), and may not be available to authenticate at the time that it is initiated.
- Mail Order, Telephone Order (MOTO): MOTO transactions are those made remotely, via mail or telephone.
- One leg out Transactions: Defined as those transactions where one of the issuer or acquirer is outside of the EEA.
- Anonymous Transactions: Customers do not need to complete SCA when an anonymous payment method is used, e.g. a gift card.
Can the transaction benefit from an SCA exemption? There are 4 exemption categories that can be applied by the acquirer or issuer:
- Transaction Risk Analysis (TRA): The TRA exemption applies to all transactions deemed low risk, based on a Transaction Risk Analysis assessment.
- Low Value Payments: Where TRA is not possible, it may be possible for the merchant or acquirer within certain cumulative limits to apply a low value exemption on any transaction below €30.
- Trusted Beneficiaries: Customers can add merchants to a trusted list, where SCA is generally only required on the initial transaction.
- Corporate Payments: The secure corporate payment exemption can be applied to all non-personal transactions that have been initiated from secure corporate environments on eligible cards.