PAYMENT SERVICES DIRECTIVE 2
Payment Services Directive 2 (PSD2)
The legislation’s key innovation is establishing a framework to make consumer banking data available (with consumer permission) to third parties such as retailers and financial technology companies. This allows non-bank parties (such as a retail merchant) to initiate payments without the intervention of traditional card brand networks.
In short, PSD2 creates a legislative framework that allows more ways to easily exchange payments more securely than ever before.
The development of the original PSD could not possibly have envisioned the revolutionary changes in payment technology in the decade since its enactment. PSD2 accounts for the explosive growth of FinTech companies, dramatic global shifts by consumers toward eWallets, the rise of alternative payment methods such as bank transfers, and elevated expectations for consumer privacy.
Consumers, financial institutions, and the payments industry that binds them are all affected by PSD2. PSD2 legislation specifies rights and responsibilities for groups including:
- Third party payment service providers (TPPs).
- Payment initiation service providers (PISPs).
- Aggregators and account information service providers (AISPs).
3D Secure 2.0 under PSD2
3D Secure 2.0 is the newest update of the 3D Secure feature developed by EMVco, a company jointly owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay.
- Speeding up purchases for low-risk transactions
The amount of contextual data exchanged between cardholder, merchant, and issuer is 10 times bigger than before.
Examples of new contextual data used by 3D Secure 2.0:
- Device information.
- Service information.
- Gift card information.
- Screen height.
Based on the contextual data, for low-risk transactions, issuers will be able to verify the identity of the cardholder without the authentication step.
As a result, customers will spend 85% less time in the checkout process. The majority of transactions are considered by issuers to be of low-risk (95%).
- Offering greater security for high-risk transaction
For high-risk transactions, issuers will continue performing the authentication step.
The contextual data will help issuers better understand the background of the high-risk transactions:
- From what devices they usually take place.
- The purchasing pattern of the cardholder.
- During what hours do transactions take place in order to better detect potential fraud
- Decreased cart abandonment
Because of the contextual data, the authentication step may become unnecessary. This is said to lead to a proposed 70% decrease in cart abandonment.
Strong Customer Authentication (SCA) under PSD2
With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:
- Reduce the potential for online fraud.
- Reduce the cost of processing fraudulent transactions.
- Increase cardholder confidence in using online services.
- Comply with international regulations such as PCI-DSS and of course PSD2.
In the case of changes to the payment amount or payee, the authentication token will no longer be valid and a new one needs to be generated and used. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the previously required guidelines.
- Accessing payment accounts online.
- Initiating electronic transactions.
- Any action carried out through a remote channel that presents a risk of payment fraud.
- Provisioning of information through a service provider (payment or information).
In almost all circumstances, Two-Factor Authentication (2FA) will become mandatory, with many scenarios requiring more than two security checks to help protect customers, merchants, and banks against online fraud.
- Transactions made at unattended terminals for transportation and parking fees.
- Contactless payments of less than €50, provided that the cumulative amount of previous consecutive electronic payment transactions without SCA doesn’t exceed €150.
- Access account information consisting of a balance, or prior transactions made in the past 90 days.
- Credit transfers between accounts held by the same person.