PSD2: How Will the New Legislation Affect Merchants?
The revised Payment Service Directive, or PSD2, is a European edict designed to help level the financial playing field for banks, retailers, and consumers. The mandate entered into force in early 2016, and member states were required to have it written into national law by January 2018.
Lawmakers set additional PSD2 testing/compliance deadlines for 2019, though. First by March 14, all institutions that provide or maintain payments accounts (collectively known as ASPSPs, or Account Servicing Payment Service Providers) were required to provide:
- A testing facility
- Specifications that proved compliance with PSD2’s Regulatory Technical Standard (RTS)
Also, merchants must implement Strong Customer Authentication (SCA) capability and all specified RTS requirements by September 14, 2019.
As it’s planned to work, PSD2 should open a world of new opportunities for consumers and businesses. Like any major policy change, however, there’s a fair amount of uncertainty involved.
Legislation and acronyms seem to go together like fish and chips, but PSD2 sports an even higher number than normal. We’ve put together this quick chart to help navigate the subject
PSD2: Payment Service Directive (revised) terms:
What is PSD2?
The original Payment Service Directive was put in place to regulate payment services—and payment service providers—across the EU and European Economic Area. The goals were to facilitate pan-European competition, increase consumer protections, and standardize the rights and obligations for payment providers and users. PSD worked to some extent, but issues still remained. Enter PSD2.
Building on the original directive, PSD2 goes even further in creating a more integrated and competitive market. It breaks down barriers to entry for new payment services. Thus, PSD2 should also benefit consumers by creating a more competitive market.
Additionally, PSD2 puts more focus on data security, as the world continues to transition to a digital economy. It mandates Strong Customer Authentication and expands overall consumer rights. Finally, the directive brings about limits on costs associated with card payments, as well as better fraud protection for consumers and an overall more equitable online payment environment.
Perhaps the biggest change, though, concerns Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Under the new PSD2 regulations, both consumers and businesses operating in the EU will be free to utilize these third parties to fill roles previously restricted only to banks.
AISPs and PISPs: Third-Party Resources
Consumer trust issues have underscored the belief that banks are safer than third-party entities. The problem is that the banking business is understandably hard to get into. The extensive security protocols and licensing requirements create a significant obstacle for newcomers.
The Payment Service Directive is changing the situation. With platforms like PayPal, Apple Pay, and a host of others gaining increasing acceptance, consumers demonstrate more faith in outside services than before. At the same time, PSD2 will continue to make it easier for non-banks to enter the financial service arena.
This means sites like Facebook and Google can now offer their users a host of new financial services. Options range from checking balances and information on multiple accounts (AISPs), to making online payments via direct transfer of funds instead of using a credit or debit card (PISPs), all within the same platform.
Account Information Service Providers
AISPs are service providers who—at the bank customer’s request—can gain access to that customer’s account data. That access could be used, for example, to analyze a specific user’s spending patterns, either for a single bank, or collectively across the customer’s accounts in multiple banks.
Payment Initiation Service Providers
PISPs, on the other hand, are able to provide transfer services without the bank’s direct involvement. Common examples include peer-to-peer transfers or centralized bill payment services. Again, the customer would be able to access any and all bank accounts from the same platform.
This does not mean, of course, that banks are out of the picture. AISPs/PISPs are not banks, and there are still services they will be legally prohibited from offering. That said, banks are obligated to provide third-party players with access to customers’ accounts, assuming the account holder grants permission.
This allows non-banks to offer certain financial services, unburdened by traditional business models where the bank was always the primary provider. Theoretically, any allowable financial services a third-party resource might offer can “piggyback” on a bank’s existing infrastructure. This is made possible using open APIs (Application Program Interfaces).
The PSD2’s provisions on third-party financial and payments services presents clear opportunities. It could create another worrisome side-effect, however.
Having third-party platforms provide services through banks means adding another entry point to a given transaction chain. Every entry point has the potential of being a weak link in that chain…a fact fraudsters are certain to exploit to their advantage.
One Market, One Banking Standard?
A unified European market has been one of the expressed goals for both the first PSD and PSD2. Currently, the European financial market lacks the infrastructure for efficient cross-border banking, particularly in the area of standardized regulations. This creates a predictable barrier for moving into a new country. The investment needed simply to understand and implement regulatory compliance offers too small a return to be enticing.
With PSD2, this will not necessarily change…at least not for banks in any one country. For third-party financial service providers, however, being licensed by their home base’s financial authority works across the entire EU.
In other words, banks will still require a license from every country they wish to operate in. But, under PSD2, any third-party providers—including international banks and non-banks—will need only one. Tech companies like Google could theoretically have a major competitive advantage over traditional banks.
More Customer Security, but Will It Be Enough?
So far, we discussed PSD2 largely from the perspective of banks and other (existing and future) financial service providers. One significant element coming out of PSD2 implementation is increased focus on data security and the consumer experience. This will prove to directly impact both merchants and consumers.
For example, starting in September, additional security will be required for online transactions. The new Strong Customer Authentication mandate requires customers to use at least two of the following three options to verify their identities:
- Knowledge: Provide unique information only that customer will know, such as a password or PIN
- Possession: Establish access to an item only associated with that customer, such as sending a text message to a mobile phone
- Inherence: Some type of physical proof such as a fingerprint or facial recognition
Experts have advocated adopting 2-factor authentication (2FA) for years. At this point, though, even 2FA might not be enough. The new regulatory standards are certainly better than a single static password, but the fact remains that hackers are already finding new ways to break basic 2-factor methods such as chip-and-PIN.
Biometric-based verification has thus far proven to be more reliable, but immediately raises concerns about consumer privacy. This issue is far from resolved.
Plus, additional security mandates coming from new bank/financial institution regulations could stop merchants from implementing customized fraud prevention tools based on personal risk assessment. That could dramatically increase the risk of chargebacks in some situations.
Potential Issues for Merchants
There are three points at which PSD2 adoption could negatively affect merchants’ operations:
#1. Customer Experience
Maintaining an optimized customer experience is already a challenge. However, PSD promises to exacerbate the matter. Today’s consumers value smooth yet flexible service at least as highly as security (if not higher). Merchants may struggle with finding ways to provide a frictionless experience, especially since implementing the required security measures causes friction, almost by definition.
SCA security protocols are a step in the right direction for both consumers, merchants, and banks. But, finding a way to implement that security without negatively influencing the customer experience could prove problematic.
The Consumer’s right to file chargebacks on credit and debit card purchases is guaranteed under the Fair Credit Billing Act of 1974. It’s not clear how customer disputes will work with a PISP, though. Since these are not credit or debit card transactions, there’s no guarantee that a service provider will be able resolve customer disputes when goods or services aren’t received.
Of course, chargebacks are widely abused and employed in committing friendly fraud, and the system is in desperate need of an update for the eCommerce age. That said, chargebacks remain an important consumer protection tool, ensuring that consumers won’t pay the price for fraud.
It may shake consumer confidence if a PISP is not prepared to handle the same volume of disputed transactions as existing card schemes. This could, in turn, create other unforeseen problems for merchants.
#3. Non-EU Merchants
If you have any transactions at all with parties in the EU, the PSD2 will affect your business, no matter which side of the pond you call home. Merchants in North America will need to abide by some (though not all) of the new regulations to access consumers in EU member states. Given that EU citizens spent $720 billion online in 2017—more than 50% higher than the total spent in the US—most merchants would be very resistant to give up EU market customers.
The Essential Guide to Global eCommerce
Our new whitepaper takes a close look at eCommerce practices around the world. We carefully examined data on markets from Africa to Asia and beyond, all to assemble a thorough, predictive picture of where eCommerce is headed over the next several years.FREE DOWNLOAD
Looking to the Future
The revised Payment Service Directive was a response to unsatisfactory consequences following the first PSD. The question now is, “will it work?”
While nothing is certain, experts already suggest that a PSD3 is likely.
Traditionally, many banks hesitated to fully embrace new technology. This is partly for security reasons, but also because the legacy business model gave them almost complete control. Under PSD2, a host of non-banks will have the ability to provide some of these services, moving into the financial arena without the heavy baggage of the banks.
How all this will ultimately impact merchants remains to be seen. On one hand, having more payment options may open the door to new customers. On the other, increased security measures are bound to cause friction at checkout, which may turn customers away. Plus, consumers who bypass the card schemes for transactions may not understand that they are likely also forfeiting the government-mandated fraud protections built into card use.
Then there’s the fraud issue. Even with stricter security measures in place, opening the financial services arena to a stream of new players is almost guaranteed to attract new types of fraudsters, as well. At the same time, standardized regulations may hinder merchants from implementing the individualized mitigation strategies necessary for their protection.
Some type of consumer fraud protection mechanism will still be necessary for non-credit or debit card payments under PSD2. This presents a unique opportunity for the industry to come together to create new consumer protection practices fit for the 21st Century.
New payments security standards would be vastly preferable to all the individual parties trying to implement their own protections…or worse, offering no protection at all. Given the uncertainty PSD2 entails, we recommend that you insulate yourself against any potential negative ramifications now. Click below to find out how.