Payment Services Directive 2 (PSD2)

What is PSD2?
The European Directive (EU) 2015/2366 regulates the payment services in the European Market, widely known as PSD2. Member States compliance date with said Directive is January 13th, 2018.  
The purpose of the Directive is to provide the legal basis to a further development of a unified internal market for payments within the European Union, making them equally simple, effective, safe and transparent.
Why was PSD2 created?
In 2015 the EU adopted a new directive on payment services (PSD2) to improve the existing rules and take new digital payment services into account. The directive became applicable in January 2018. It includes provisions to:

  • Make it easier and safer to use internet payment services.
  • Better protect consumers against fraud, abuse, and payment problems.
  • Promote innovative mobile and internet payment services.
  • Strengthen consumer rights.
  • Strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft technical standards.
Where does PSD2 apply?
The revised Payment Services Directive applies to any payment where the cardholder’s issuing Bank and the acquirer for that transaction are inside the European Economic Area.
Who does PSD2 affect?
PSD2 impacts virtually everyone living or working in EU countries. If you are involved in the buying and selling of goods and services in the EU, PSD2 affects you. If you make a payment, receive payment, or are in any way involved in retail payments, P2D2 aims to make those processes transparent and safe.
Consumers, financial institutions, and the payments industry that binds them are all affected by PSD2.
PSD2 legislation specifies rights and responsibilities for groups including:

  • Third party payment service providers (TPPs).
  • Payment initiation service providers (PISPs).
  • Aggregators and account information service providers (AISPs).

3D Secure 2.0 under PSD2

What is 3D Secure?
One of PSD2’s main points is that it will become mandatory for merchants to authenticate transactions. One way of fulfilling this criterion is by implementing EMV 3D Secure.
EMV 3D Secure is the newest update of the 3D Secure feature developed by EMVco, a company jointly owned by Visa, Mastercard, American Express, Discover, JCB, and Union Pay.
What are the benefits of 3D Secure?
EMV 3D Secure uses more contextual data than its earlier versions of 3D Secure, which leads to the following additional benefits:

  • Being able to exchange 10x more data than 3DS 1.0 to allow for more informed authentication and authorization decisions.
  • Performing risk-based authentication or frictionless authentication to allow cardholders to be passively authenticated.
  • Improving end-to-end transaction processing time by limiting the authentication cycle to one.
  • Enabling state-of-the-art authentication methods, such as biometrics, for stronger two-factor authentication.
  • Supporting new payment needs on any device, such as in-app and mobile payments.
  • Supporting additional use cases, for example, card on file, wallets, and tokenization.
  • Eliminating the need for consumer registration while shopping.

Strong Customer Authentication (SCA) under PSD2

What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is defined as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These must be independent from one another, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.”
With the general shift towards online services, there is a greater need to authenticate the identity of users during transactions and banking activities, in order to:

  • Reduce the potential for online fraud.
  • Reduce the cost of processing fraudulent transactions.
  • Increase cardholder confidence in using online services.
  • Comply with international regulations such as PCI-DSS and of course PSD2.
What is dynamic linking?
Dynamic linking is another concept which is a new requirement of PSD2. This involves dynamically linking authentication tokens to the specific payment amount and the specific payee of the transaction.
In the case of changes to the payment amount or payee, the authentication token will no longer be valid and a new one needs to be generated and used. The inclusion of such dynamic linking elements in SCA features a well encompassed additional authentication layer beyond the previously required guidelines.

In what cases will SCA apply?
SCA will be required on card transactions in which both the merchant’s acquiring bank and the Bank issuing the buyer’s debit or credit card are located within the European Economic Area (EEA). The affected countries/regions include: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, the Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

What types of transactions will be exempt?
SCA requires customers to authenticate themselves using two factor authentication prior to making an online payment. However, SCA does not need to be applied to all transactions; some transaction types are out of scope, and exemptions may be applied in some other cases.

Is the transaction out of scope of SCA? There are four key out of scope transaction types:

  • Merchant Initiated Transactions (MITs): Where a cardholder has pre-agreed (and pre-authenticated) a future transaction(s), and may not be available to authenticate at the time that it is initiated.
  • Mail Order, Telephone Order (MOTO): MOTO transactions are those made remotely, via mail or telephone.
  • One leg out Transactions: Defined as those transactions where one of the issuer or acquirer is outside of the EEA.
  • Anonymous Transactions: Customers do not need to complete SCA when an anonymous payment method is used, e.g. a gift card.

Can the transaction benefit from an SCA exemption? There are 4 exemption categories that can be applied by the acquirer or issuer:

  • Transaction Risk Analysis (TRA): The TRA exemption applies to all transactions deemed low risk, based on a Transaction Risk Analysis assessment.
  • Low Value Payments:  Where TRA is not possible, it may be possible for the merchant or acquirer within certain cumulative limits to apply a low value exemption on any transaction below €30.
  • Trusted Beneficiaries: Customers can add merchants to a trusted list, where SCA is generally only required on the initial transaction.
  • Corporate Payments: The secure corporate payment exemption can be applied to all non-personal transactions that have been initiated from secure corporate environments on eligible cards.
Need help?
Call our 24-hour helpline.
22 868 000 (FROM CYPRUS)
215 520 5600 (FROM GREECE)
Haven’t found what you’re looking for?