We’ve done a lot of research on many topics related to payments processing, and PSD2 is one of the most dry and dreary we have come across. First of all, it’s legislation, so that puts it into the snooze column right away. But it also presents complex challenges for merchants that need to comply with it, which makes it the perfect topic for a ChargebackHelp makeover!
We’re going to assuage the tedium of this regulatory framework so that you’ll achieve better PSD2 compliance as a merchant. ChargebackHelp is following PSD2 closely because, while it may stimulate innovation and reduce fraud for European ecommerce, it is also going to increase online fraud attacks outside of Europe as the rats jump ship for softer targets. So even if you’re out of PSD2’s scope, it will affect you by proxy; it’s best to get ahead of the curve as soon as possible.
What is the PSD2?
Sorry nerds, PSD2 is not a video game sequel or a Star Wars character. The Payment Services Directive (PSD) is an evolving regime of laws by the European Union that govern payments services within the European Economic Area (EEA). “Evolving” because since it was first enacted in 2007, the PSD needed some updates, culminating in the PSD2. This second directive addressed payment security concerns and the emerging market of third-party payments services providers aka “fintechs”.
What it means for the banks
First, PSD2 loosens the banks’ monopoly on financial services. Banks must enable their APIs to allow third-party access to their customers’ accounts, at that customer’s request. This enshrines two new sectors in the financial services industry: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). AISPs are like applications that help consumers monitor and budget their spending. PISPs are like peer-to-peer (P2P) payment services like online bill payments. Services like these no longer have to partner with banks or states and can market directly to consumers.
What it means for fintech
Second, because of this new, open frontier of third-party services, PSD2 mandates what is called “Strong Consumer Authentication” (SCA) in transactions. Now pay attention because you’re about to learn something cool here… In all the history of confirming one’s identity — whether it’s a secret handshake, legal evidence, or nuclear launch codes — authentication is proven by at least one of three factors:
- What you know (knowledge) — passwords, billing addresses, PIN#
- What you have (ownership) – keys, Credit cards and CVV#
- Who you are (inherence) – signature, fingerprints
PSD2 requires that any transaction within the EEA must have at least two-factor authentication built into the API managing it. Going forward, most Europeans will have to provide a password (what they know) plus something else they either have or are. It can be a code texted to their phone (ownership), a biometric imprint (inherence), or something along those lines.
What’s at stake for merchants?
The concept of Strong Consumer Authentication sounds great if you’re a consumer. But as a merchant, whenever the rules change on authenticating transactions, the inevitable learning curve can create checkout friction. Critics are weary of the PSD2 driving up false positives and cart abandonment.
Many of those concerns have been assuaged by the release of 3DS 2.0. 3DS inserts issuers and card networks directly into the authentication process. 3DS 1.0 did this via a clunky iframe or popup that prompted customers to enter their payment info directly with their card issuer for authentication. There was friction, so much so that it necessitated the launch of 3DS 2.0. This new version has eliminated popups and ships with an SDK for merchants to better customize the interface to their gateway. Whether you’re in scope of PSD2 or not, we highly encourage merchants to adopt 3DS 2.0, simply from a fraud prevention and liability standpoint. You can get a deeper understanding of 3DS here.
The official PSD2 exemption list
Big companies with teams of lawyers pouring over the details of PSD2 have the resources to either prepare for PSD2 or simply lobby themselves an exemption. Netflix has already finagled an exemption to their subscription model where SCA is required for the first transaction only. Amazon and Apple have forged “trusted merchant” exemptions because of their low fraud ratios. The giants of industry once again pave a path through new regulations that suits them well; but what about smaller businesses, and high-risk merchants in particular?
In addition to these well-connected companies that have etched out exemptions, here’s what’s exempt from the PSD2 scope:
- B2B transactions
- MOTO: Mail order or telephone order-based transactions
- MIT: Merchant initiated transactions such as subscritions and recurring billing
- Anonymous card transactions involving prepaid debit or gift cards
- Transactions under €30
- Trusted Beneficiaries: Certain trusted merchants (not you)
One leg out = one leg up
Another important exemption is the one-leg rule. If you had to deal with the EU’s General Data Protection Regulation (GDPR), you’re familiar with the concept of “legs in.” If a transaction has two legs in (customer and acquirer are based in Europe) or one leg in (either customer or acquirer are non-European), you have to comply with the GDPR. PSD2, on the other hand, applies to two-leg transactions only. This provides merchants doing business in Europe with a bit of daylight around the SCA requirement.
There’s also something to consider for all merchants, no matter how many legs we’re talking about: SCA is happening and fraud will adapt to it. As we learned with EMV, when you secure one area against fraud, it flushes the fraudsters out to less-secured areas. If SCA does its job to make EU transactions more secure, fraudsters will inevitably set their sights on merchants with more lax authentication models. So even if you run “legless” transactions, you should seriously consider adopting Strong Consumer Authentication.
Who owns the future of ecommerce?
PSD2 is part of a long-standing push by the EU to “federalize” its financial services; it allows consumers and financial services to better transact business from one member country to another. And more recently, like GDPR and EMV, PSD2 is another regulatory landmark that sets Europe ahead of the pack in the future of online payments and processing. It’s a one-two punch that other markets such as the US and China will have to reckon with one way or another.
The authentication tech has made leaps and bounds to accommodate the Directive lately. So compliance with PSD2 is becoming much less painful for our bottom lines. Furthermore, compliance with the Payments Services Directive will put merchants and fintechs ahead of the curve as the US and other markets work up to the EU’s example. SCA-compliant merchants will also be shielded from the next wave of fraud that will relocate to more-vulnerable financial sectors still doing things the “old” way. So while there may be some sufficient loopholes to avail yourself with, they should be temporary as markets and merchants adjust to the changes.
This article is meant as an overview. If you have any unanswered questions about the implications of the PSD2, be sure to consult your processing professionals. ChargebackHelp is well-qualified to assist you in this capacity. Send us an email, call us at 1.800.975.9905 or contact us here.