Conversion to Compliance: How PSD2 Affects Your Business
Regulators in the EU and UK markets have implemented several sweeping overhauls to payment standards in recent years. Their goal was to create a more standardized, universal payments space; one banking standard “to rule them all,” if you will. The revised Payment Service Directive, or PSD2, is a prominent example.
PSD2 should have opened a world of new opportunities for consumers and businesses. But, like any significant policy change, regulators left a fair amount to be desired.
In this article, we’ll go over what PSD2 is, who it pertains to, and the effects it’s had on commerce since implementation. We’ll also consider where we might go from here, and how businesses should respond.
- Can Cardholders File a Chargeback on Credit Card Deposits?
- American Express Chargeback Time Limits: The 2022 Guide
- Chargeback Time Limits: the Merchant's Guide for 2022
- The Fair Credit Billing Act: The Basis of Chargeback Law
- Chargeback Law: What is the Truth in Lending Act?
- Chargeback Laws: What's the Legal Basis for Card Disputes?
What is PSD2?
The original Payment Service Directive was put in place to facilitate pan-European competition, increase consumer protections, and standardize the rights and obligations of payment providers and users. The PSD worked to some extent, but a number of issues remained. For instance, entities that could operate as financial institutions in one country might not be able to do so in another, or the standards for best practices might differ across borders.
- Revised Payment Services Directive (PSD2)
The Revised Payment Services Directive (PSD2) is a ruleset administered by the European Commission. Its purpose is to regulate payment services and payment service providers throughout the European Union and European Economic Area, allowing new entities to operate as financial institutions with proper oversight.
[noun]/* rǝ • vīzd • pā • muhnt sur • vis • es • dǝ • rek • tiv/
Building on the original directive, PSD2 goes even further in creating a more integrated and competitive market. It breaks down barriers to entry for new payment services. Thus, PSD2 should benefit consumers by creating a more competitive market (in theory).
PSD2 also focuses on greater data security standards. It mandates Strong Customer Authentication standards and expands overall consumer rights. The directive limits costs associated with card payments and mandates better fraud protection for consumers.
Chargebacks for Dummies
Chargebacks can wreak havoc on your cash flow and profitability. This book is your guide for preventing chargebacks and, when they happen, fighting them more effectively. Request your FREE paperback copy of Chargebacks for Dummies today!Send Me My Free Book!
PSD2 & Third-Party Banking Providers
Consumer trust issues have underscored the belief that banks are safer than third-party entities. At issue is the fact that the banking business is hard to get into. The extensive security protocols and licensing requirements create a significant obstacle for newcomers. PSD2 regulations are changing this situation.
Platforms like PayPal, Apple Pay, and others are gaining increasing acceptance. Consumers have demonstrated more faith in outside services year over year. At the same time, PSD2 will continue to make it easier for non-banks to enter the financial service arena.
Perhaps the biggest change resulting from PSD2 concerns Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Under the new PSD2 regulations, both consumers and businesses operating in the EU are free to use these third parties to fill roles previously restricted only to banks.
What are AISPs and PISPs?
PSD2 allows for more open banking. This means, for example, that sites like Facebook and Google can now offer their users a host of new financial services.
Options range from checking balances and information on multiple accounts to making online payments via direct transfer of funds instead of using a credit or debit card. These services can be specific, or can be provided all within the same platform by an account information service provider (AISP) or a payment initiation service provider (PISP).
Account Information Service Providers (AISP)
AISPs are service providers who—at the bank customer’s request—can gain access to that customer’s account data. That access could be used to analyze a specific user’s spending patterns, either for a single bank or collectively across the customer’s accounts in multiple banks.
Payment Initiation Service Providers (PISP)
PISPs can provide transfer services without the bank’s direct involvement. Common examples include peer-to-peer transfers or centralized bill payment services. Again, the customer would be able to access any bank accounts from the same platform.
What are the Benefits Offered by AISPs and PISPs?
The introduction of AISPs and PISPs allows non-banks to provide specific financial services, unburdened by traditional business models. Theoretically, a third-party resource's allowable financial services can “piggyback” on a bank’s existing infrastructure. This is made possible using open APIs (Application Program Interfaces).
The kind of open banking this facilitates means companies can offer credit faster and more easily, with less restrictions. They can also facilitate a smoother process, with more redundancies in security checks.
New payments technologies. New threats.
Prevent fraud and recover revenue with just a few simple clicks.
This does not mean, of course, that banks are out of the picture. Banks are obligated to provide third-party players with access to customers’ accounts, assuming the account holder grants permission. But, AISPs and PISPs are still not banks; there are services they will be legally prohibited from offering.
There are other concerns to keep in mind, too. For instance, having third-party platforms provide services through banks means adding another entry point to a given transaction chain. Every entry point has the potential of being a weak link in that chain…a fact fraudsters are sure to exploit.
Who Must Comply with PSD2?
PSD2 applies to payment service providers and financial institutions in the EEA. The rules outline authentication requirements that each party is expected to implement. They also impose specific rules regarding customer-initiated electronic payments and customer payment accounts.
The law impacts eCommerce sites, too. It can impact any business that accepts payments from consumers, or businesses or services using payment or customer data and services that assist in the electronic payment process.
Regulators extended the deadline for PSD2 compliance for several years. However, the final deadline for PSD2 compliance was March 14, 2022. Now, customer-initiated electronic payment transactions must go through strong customer authentication protocols unless they qualify for a very specific exclusion or exemption.
SCA Exemptions Allowed Under PSD2
Essentially, everyone who takes or manages payments in the EU or UK must be PDS2 compliant for most transactions. There are, however, a few exceptions to the rule that may apply in specific circumstances.
Possible SCA exemptions include:
Payments below €30
SCA only applies to the first transaction.
In effect, businesses that are considered a ‘trusted source’, like a utility provider, etc. The customer’s bank maintains the list.
Charges made on behalf of a more central agency, such as corporate travel, meals, hotels, etc.
Payments Made With Saved Cards
The customer will always need to authenticate, and the bank still reserves the right to decline
Other exemptions may apply in the future, as PSD2 regulations are relatively new. While this might offer a bit of a break from these behemoth changes to well-established payment routines, merchants are less enthusiastic about the changes.
Merchant Issues With PSD2
PSD2 implementation has gone fairly smoothly for most parties. This probably owes to the several years of delays allowed for the compliance deadline. That said, there are three points at which PSD2 adoption has negatively impacted operations:
#1 | Customer Experience
Maintaining an optimized customer experience is already a challenge. However, PSD2 has exacerbated the matter. Today’s consumers value smooth-yet-flexible service at least as highly as security (if not higher). Merchants often struggle to find ways to provide a frictionless experience, especially since implementing the required security measures causes friction, almost by definition.
SCA security protocols are a step in the right direction for consumers, merchants, and banks. But, finding a way to implement that security without negatively influencing the customer experience is proving problematic.
#2 | Chargeback Policy
The Consumer’s right to file chargebacks on credit and debit card purchases is guaranteed under the Fair Credit Billing Act of 1974 in the US. It is covered in the UK by Section 75 of the Consumer Credit Act. Customer disputes are different with PISPs, though. Since these are not credit or debit card transactions, there’s no guarantee that a service provider can resolve customer disputes when goods or services aren’t received.
Of course, the system is in desperate need of an update for the eCommerce age in general. Chargebacks are widely abused and used to commit friendly fraud. That said, chargebacks remain an essential consumer protection tool, ensuring that consumers won’t pay the price for fraud.
Thus far, PISPs have not proved themselves in the arena of disputed transactions just yet. Many merchants have seen little-to-no fluctuations in the frequency of disputes, aside from a general rise in post-pandemic CNP transactions and their resulting chargebacks. This is a “remains to be seen” situation.
#3 | Non-EU Merchants
If you have any transactions with parties in the EU, the PSD2 will affect your business, no matter which side of the pond you call home. Merchants in North America will need to abide by some (though not all) of the new regulations to access consumers in EU member states.
Another significant concern circling the globe due to PSD2 compliance is the increased reliance on 3-D Secure 2.0 technology. Since PSD2 requires SCA to verify users, many merchants sought 3DS solutions to comply with the directive. This turned out to be a mistake, as PSD2 affects every aspect of 3DS software with some startling side effects.
Authentication failures like false declines, abandonment, and a loss of consumer trust are just a few examples of the problems resulting from too many safeguards in place at once. Heightened security is a great thing, but that security can lead to lost revenue and even chargebacks when technical issues arise. 3DS tends to trigger issuer declines to combat fraud, and due to its sensitivity… merchants are feeling the backlash in their conversion rates.
50 Insider Tips for Preventing More Chargebacks
In this exclusive guide, we outline the 50 most effective tools and strategies to reduce the overall number of chargebacks you receive.Free Download
How Does PSD2 Affect Conversion?
Frankly, the PSD2 impact on conversion hasn’t been great, and 3DS is only making the situation worse. Comparing 3DS conversion rates with non-3DS transactions paints a relatively clear picture of PSD2’s failings across the EU.
Decrease in Conversions per Country Post-PSD2:
Referring to this graph, we can see the European market was not prepared for the new regulations. High customer abandonment rates and 3DS failures are causing undue frictions between merchants and cardholders. Those cardholders, in turn, have become accustomed to near-seamless payment portals.
According to Forter, high 3DS authentication declines result from technical failure or issuer decline. This indicates that the payment ecosystem is not fully prepared to handle the new regulation.
How Can Merchants Counteract Pitfalls and Remain PSD2 compliant?
Despite merchant conversion rates, chargebacks, or other concerns that deeply affect global markets due to the regulation, PSD2 is the law of the land.
Merchants want to get ahead of the game and remain PSD2 compliant. To do so, a simple fix might be to disable any 3DS technology they’ve enabled and shift focus to other fraud prevention solutions for the moment.
Preventing fraud and chargebacks should always be paramount for merchants seeking to improve their bottom line, but doing so ethically, intelligently, and with an eye for practicality is best.
Use the Right Fraud Tools
In addition to 3DS, you should deploy several other fraud tools that work in tandem to secure your transaction power. This includes AVS, CVV, and two-factor authentication, to name a few.
Conduct Regular Audits
Conduct regular audits of all internal operations to ensure you’re doing what needs to be done. Are you staying up to date with tech changes? Are your employees abiding by your established protocols?
Keep Software Up to Date
Outdated software can cause multiple problems. Outdated fraud prevention solutions may fail to intercept new threats. Keep up with all software updates and patches and deploy them as soon as possible.
If you’re an EFA merchant or one who must deal with PSD2 regulations fairly regularly, the new guidelines can be overwhelming.
Wouldn’t it be great if someone could show you the ropes?
With over 16 years as a payments industry leader, the experts at Chargeback911 can help. Contact us today for more information about how the PSD2 regulations may affect your business and, as always, help you form strategies to fight back against resulting chargebacks and payment disputes.