How PSD2 Affects Your Business & What Will Come Next
For regulators in the EU and UK, the goal is always to create a more standardized, universal set of rules for payments. One banking standard “to rule them all,” if you will.
The revised Payment Service Directive, or PSD2, was an attempt at that.
PSD2 should have opened a world of new opportunities for consumers and businesses. But, like any significant policy change, regulators left a fair amount to be desired.
In this article, we’ll go over what PSD2 is, who it pertains to, and the effects it’s had on commerce since implementation. We’ll also consider where regulators might go from here, and how businesses should respond.
Recommended reading
- Dispute Apple Pay Transaction: How Does The Process Work?
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Terminal ID Number (TID): What is it? What Does it Do?
- How Do Credit Card Numbers Work? What do the Numbers Mean?
- P2P Payment Use in eCommerce Jumps 66% in 2024
- Visa+: Get the Most Out of Digital Wallets With This Tool
What is PSD2?
- Revised Payment Services Directive (PSD2)
The Revised Payment Services Directive (PSD2) is a ruleset administered by the European Commission. Its purpose is to regulate payment services and payment service providers throughout the European Union and European Economic Area, allowing new entities to operate as financial institutions with proper oversight.
[noun]/rǝ • vīzd • pā • muhnt sur • vis • es • dǝ • rek • tiv/
The original Payment Service Directive was put in place in 2007 to facilitate pan-European competition, increase consumer protections, and standardize the rights and obligations of payment providers and users. The PSD worked to some extent, but a number of issues remained. For instance, entities that could operate as financial institutions in one country might not be able to do so in another, or the standards for best practices might differ across borders.
Enter PSD2.
Building on the original directive, PSD2 goes even further in creating a more integrated and competitive market. It breaks down barriers to entry for new payment services. Thus, PSD2 should benefit consumers by creating a more competitive market (in theory).
PSD2 also focuses on greater data security standards. It mandates Strong Customer Authentication standards and expands overall consumer rights. The directive limits costs associated with card payments and mandates better fraud protection for consumers.
What Changes Did PSD2 Make? How Does It Differ From PSD1?
The original Payment Services Directive laid the legal groundwork for a EU single market for payments. The directive’s goal was to make cross-border payments between EU member states as seamless, easy, and secure as national payments within a member state.
PSD2 builds upon PSD1’s legal foundations. It further integrates the EU single market for payments, introduces stricter security standards for payment providers, protects consumers, and levels the playing field for third-party payment service providers (TPPs).
The inclusion of TPPs within the scope of PSD2 is a key way in which the revised directive differs from PSD1. Under PSD2, third parties known as “account information service providers” (or “AISPs”) and “payment initiation service providers” (or “PISPs”) can enter the EU market. To do so, they must comply with the revised directive’s transaction security and customer data protection mandates.
The introduction of Strong Customer Authentication (SCA) standards mean that both banks and non-bank TPPs must secure customer accounts using multi-factor authentication security measures. SCA requirements promulgated under PSD2 help keep sensitive customer information secure and reduce fraudulent transaction risks.
The introduction of TPPs into the EU payments market means that sensitive customer information will be shared more frequently between bank and non-bank providers. Banks can’t withhold financial information from TPPs. This data sharing is done with the customer’s consent, of course.
Data is most vulnerable while in transit, so PSD2 introduced unified technical specifications for application programming interfaces, or APIs—tools that allow bank and TPP software to “talk” to each other. Under PSD2, payment service providers will need to regularly report on API security measures, changes, and performance. The hope is that these stricter API standards will lead to safer and more secure communications between bank and non-bank TPPs.
What are AISPs and PISPs?
Perhaps the biggest change resulting from PSD2 concerns account information service providers and payment initiation service providers.
PSD2 allows for more open banking. This means, for example, that sites like Facebook and Google can now offer their users a host of new financial services. Options range from checking balances and information on multiple accounts to making online payments via direct transfer of funds instead of using a credit or debit card.
These services can be specific, or can be provided all within the same platform by an AISP or a PISP. Under PSD2 regulations, both consumers and businesses operating in the EU are free to use these third parties to fill roles previously restricted only to banks.
How are AISPs and PISPs Beneficial?
Third-party payment providers can “piggyback” on existing banking infrastructure. This lets them offer services faster and more easily than many traditional financial institutions.
The introduction of AISPs and PISPs allows non-bank third-party payment service providers to offer new and improved financial services to merchants and consumers.
This is possible because TPPs have a unique advantage. Using open application program interfaces, (or “APIs”), third parties can “piggyback” on a bank’s existing infrastructure. This lets them offer credit, investing products, depository accounts, cross-border transfers, and other solutions faster and more easily.
This does not mean, of course, that banks are out of the picture. Banks are obligated to provide third-party players with access to customers’ accounts, assuming the account holder grants permission. But, AISPs and PISPs are still not banks; there are services they will be legally prohibited from offering.
There are other concerns to keep in mind, too. For instance, having third-party platforms provide services through banks means adding another entry point to a given transaction chain. Every entry point has the potential of being a weak link in that chain… a fact fraudsters are sure to exploit.
That said, PSD2 does address this issue. As mentioned before, the directive unifies technical standards surrounding APIs and requires banks and TPPs to regularly report on their APIs’ security measures. Although this requirement will not deter all instances of fraud, it may lower its prevalence.
Who Must Comply With PSD2?
All financial institutions and TPPs doing business in the European Economic Area (EEA) must comply with PSD2. This includes all 27 European Union (EU) member states plus Iceland, Lichtenstein, and Norway. PSD2 is also enforced by the Financial Conduct Authority in the UK, despite the fact that they are not UR or EEA members.
The directive impacts eCommerce merchants, too. In fact, it impacts any business or service that accepts payments from consumers, uses payment or customer data, or otherwise assists in the electronic payment process.
PSD2 was first introduced on January 12, 2016, and EU member states were given two years to transpose it into national law. Enforcement of the directive began on September 14, 2019, though not without delays.
For instance, the European Banking Authority extended the deadline for Strong Customer Authentication compliance to December 31, 2020, and in the UK, PSD2 the deadline was further extended to March 14, 2022.
As of August 2024, PSD2 is in full effect within all EEA countries and the UK. This means, among other things, that all customer-initiated electronic payment transactions must go through strong customer authentication protocols unless they qualify for a very specific exclusion or exemption.
SCA Exemptions Allowed Under PSD2
Essentially, everyone who takes or manages payments in the EU or UK must be PDS2 compliant for most transactions. There are, however, a few exceptions to the rule that may apply in specific circumstances.
Possible SCA exemptions include:
Low-Risk Payments
Payments below €30
Fixed-Amount Subscriptions
SCA only applies to the first transaction.
Trusted Beneficiaries
In effect, businesses that are considered a ‘trusted source’, like a utility provider, etc. The customer’s bank maintains the list.
Corporate Payments
Charges made on behalf of a more central agency, such as corporate travel, meals, hotels, etc.
Payments Made With Saved Cards
The customer will always need to authenticate, and the bank still reserves the right to decline
Other exemptions may apply in the future, as PSD2 regulations are relatively new. While this might offer a bit of a break from these behemoth changes to well-established payment routines, merchants are less enthusiastic about the changes.
Merchant Issues With PSD2
PSD2 implementation has gone fairly smoothly for most parties. This probably owes to the several years of delays allowed for the compliance deadline. That said, there are three points at which PSD2 adoption has negatively impacted operations:
Chargebacks are widely abused and used to commit friendly fraud, and the system is in desperate need of an update for the eCommerce age in general. That said, chargebacks remain an essential consumer protection tool, ensuring that consumers won’t pay the price for fraud.
How Does PSD2 Affect Conversion?
Let’s look at that last point in a little more detail.
Frankly, the initial impact of PSD2 on conversion wasn’t great. Comparing 3DS conversion rates with non-3DS transactions paints a relatively clear picture of PSD2’s failings across the EU.
Decrease in Conversions per Country Post-PSD2:
Great Britain | Germany | France | Spain | Italy |
25-30% | 50% | 40-50% | 40% | 40-50% |
(Source: Forter)
Referring to this graph, we can see the European market was not prepared for the new regulations. According to Forter, high 3DS authentication declines result from technical failure or issuer decline. This indicates that the payment ecosystem is not fully prepared to handle the new regulation.
Now, the good news is that widespread adoption of newer version of 3DS technology has largely addressed this problem. But, it still serves as an illustrative example of what can happen when new regulations are implemented without merchants and other players being prepared for the change.
What About PSD3?
In June 2023, the European Commission proposed a third payment services directive (PSD3) along with a Payment Services Regulation (PSR). The final PSD3/PSR legislative drafts are expected to be available by the end of 2024. If this deadline is met, the rules established by PSD3/PSR legislation could go into force as soon as the second half of 2026.
PSD3/PSR seeks to improve upon some of PSD2’s practical weaknesses. For example, the pair of proposals will streamline compliance requirements for AISPs and PISPs. This could make it easier for prospective and incumbent firms operating in the EU market to secure and maintain authorization to do business, respectively.
PSD3/PSR also introduces an array of new consumer protections. It mandates greater fee transparency among ATM service providers, requires “duly justified response and reasoning” from the PSP when accounts are closed, and further limits consumers’ liability for fraud—specifically when they are victims of APP fraud.
It will be interesting to see what PSD3 will entail once the final draft is ready. In the meantime, merchants have to focus their attention on remaining compliant while ensuring that conversion is not negatively impacted.
How Can Merchants Counteract Pitfalls & Remain Compliant?
Merchants want to get ahead of the game and remain compliant. To do so, a simple fix might be to shift focus to other fraud prevention solutions and practices. We recommend that merchants:
Need Help?
PSD2 regulations are complex, and guidelines for compliance can be vague and confusing.
What if someone could show you the ropes?
With more than a decade of experience in the payments industry, Chargebacks911® is the leading chargeback management solution provider in Europe. Reach out to us for a no-obligation discussion about how to navigate the regulatory challenges and opportunities presented by PSD2, PSD3/PSR, and future EU directives.
FAQs
What is the meaning of PSD2?
Officially the Revised Payment Services Directive and colloquially the “Payment Services Directive 2,” PSD2 is a European Union (EU) regulation that lays out security requirements for payment service providers (PSPs). Entered into force in January 2016, PSD2 expands consumer protections and requires PSPs to implement Strong Customer Authentication security standards.
Is PSD2 applicable in the US?
Officially, no. PSD2 is only enforced within the European Union (EU) and the European Economic Area (EEA). However, PSD2 would apply to US merchants with EU customers or US payment service providers that process payments in the EU.
What are the main requirements of PSD2?
PSD2 protects customer data and enhances payment transaction security by requiring payment service providers (PSPs) to adhere to several standards. First, PSD2 mandates strong customer authentication, which requires PSPs to implement two-factor authentication security measures. Second, PSPs must monitor suspicious or fraudulent transaction and device activity on behalf of customers. Third, PSD2 unifies technical standards regarding application programming interface (API) access for third-party PSPs.
What is the difference between GDPR and PSD2?
GDPR sets standards for the storage, processing, and transfer of customer data. It grants consumers rights over their personal data and is broadly applicable to a wide range of industries (not just the payments space). PSD2 is a regulatory framework that applies more narrowly to the payments industry. It mandates strong customer authentication security measures, enhances fraud monitoring requirements, and unifies technical standards surrounding application programming interface (API) access for third-party payment service providers, or TPPs.
What are the risks of using PSD2?
Most of the risks surrounding PSD2 involve the sharing of “sensitive personal data” with third-party payment service providers (TPPs). For example, it may be more difficult for banks that share customer data with TPPs to keep that data private. The movement of data between banks and TPPs also introduces security risks, given that data is most vulnerable when it is in transit. PSD2 also elevates transaction fraud risk, since some TPPs may be unreliable or even criminal.
Who needs to be PSD2 compliant?
Any payment service provider that does business in the EU, the European Economic Area (EEA), or the UK, must be PSD2 compliant.