Compare payment processors and secure the lowest credit card processing fees for your business
For businesses accepting card payments, implementing the revised Payment Services Directive (PSD2) is becoming increasingly complex. National regulators, banks, payment card associations, and payment services providers are all implementing the rules in different ways.
Some countries have adopted different compliance timelines, too. This can make implementation even more complicated, as the way transactions are handled depends on local regulations, the value of the payment, authentication preferences of the card issuer, whether the payment is recurring, and so on.
In this guide, we’ll look at what PSD2 is. We’ll also cover the security practices required to comply with PSD2 in the UK and get your payments authorised.
The Revised Payment Services Directive (PSD2) is a set of regulations for payment services that operate in the European Union (EU) and the European Economic Area (EEA). PSD2 is a replacement and enhancement for the earlier PSD1 framework which came into force in 2007.
The initial EU Directive was introduced in 2007 and the revised version, PSD2, was passed in 2015. The requirements for online payments have come into force in stages from 2019 to 2022 due to delays in the implementation.
Strong Customer Authentication (SCA) is an important part of PSD2 and comes into effect for online transactions with a value over €50. This requires merchants and payment service providers (PSPs) to work with payment technology suppliers and card associations to provide SCA that is effective and convenient.
The European online payments market has changed a lot since the first version of the directive was passed in 2007 — and PSD2 was introduced as a response to these developments. For example:
Card not present (CNP) fraud soared by 66% in 2011-2016, according to the European Central Bank (ECB), driving a 35% increase in overall fraud. Fraud of this type remains a significant concern as PSD2 is rolled out — It is estimated that online fraud cost UK retailers £262.3 million in 2020.
Increased adoption of APIsThe growing adoption of Application Programming Interfaces (APIs), which enable different systems to communicate and exchange data, has seen the emergence of new financial business models such as fintech firms. This is making banking and payment systems more open but also creates the potential for new forms of financial security breaches.
Growth and innovation in digital payments has enabled the emergence of new types of fintech businesses that have not been subject to clear regulations. PSD2 provides standards governing the way these new companies operate and provides them with a structure to access customers’ accounts using APIs.
PSD2 has four main goals for the European payments market:
To meet those goals, the regulations introduce three key changes for merchants and payment service providers:
SCA has been referenced a couple of times now, so let’s discuss it in detail.
Strong Customer Authentication introduces extra layers of security to card not present transactions by default via the 3D Secure protocol. The protocol is based on a three-domain (3D) model, combining the financial authorisation process with online authentication across the acquirer domain (the merchant and bank), the card issuer domain and the interoperability domain (the card association’s infrastructure).
SCA requires banks to confirm a consumer’s identity at the checkout of most purchases using two out of three forms of identification. These are:
The EBA is strict about what is acceptable for each form. User data sent via 3D Secure 2 is not accepted as compliant with SCA. But it is important for Transaction Risk Analysis (TRA) and enabling exemptions.
SCA came into effect for e-commerce transactions from 1 January 2021 in most of the EEA, having already come into effect for other electronic transactions. In the UK, the Financial Conduct Authority (FCA) gave the payments industry additional time, ramping up from January 2022 ahead of enforcement from 14 March 2022.
PSD2 requires SCA for all online and contactless transactions initiated by the customer where both the card issuer and the acquiring bank are located within the EEA. SCA is not required if only one of them is within the EEA.
Recurring payments taken by direct debit are considered to be initiated by the merchant so SCA does not apply.
Most face-to-face payments in the EEA require SCA. Chip & PIN transactions already comply as they meet the possession and knowledge requirements for authentication. Customers making contactless payments may be required to enter their PIN after they make a certain number of transactions or make a purchase exceeding a certain value.
Customers may need to confirm their identity through two-factor authentication during checkout. 3D Secure aims to make the verification process convenient for customers so that they do not abandon the process, while reducing the chance that they will have to take additional steps to provide identification. The latest version of 3D Secure is designed for seamless use on mobile devices.
E-commerce payments to merchants outside the EEA or using cards issued outside the EEA do not come under SCA regulation, and other transactions may be exempt. Some banks and payment processors can help merchants to flag transactions that do not require SCA.
Banks and payment service providers are required by law to enforce PSD2. Online businesses that fail to meet the requirements risk losing transactions as non-authenticated payments will be rejected.
Failure to comply can result in severe penalties for payment service providers, as national regulators have the authority to impose hefty fines or even withdraw their licences. PSD2 does not specify standard fines and the size of fines can vary in different countries as they may be at different stages of implementing the regulations.
The following groups have a regulatory role:
There may be changes to regulatory oversight in time. For example, some countries outside Europe are considering introducing their own SCA requirements.
How can you ensure that your business authenticates payments in a way that complies with SCA?
While 3D Secure 2 is the most common method, there are other options that comply with SCA, including through payment initiation services such as those using Open Banking and mobile wallets like Apple Pay, Google Pay and Samsung Pay. Mobile wallets comply as they provide built-in authentication for a linked payment card, such as a password, PIN or biometric data.
Common European payment methods such as iDEAL, Bancontact and Multibanco are also compliant.
The following types of payments may be exempt from SCA, which can reduce customer attrition during the checkout process:
Payment service providers can request an exemption when they process a payment. The cardholder’s bank will then assess the transaction and either approve the exemption or request authentication.
Businesses should have a fallback process in place in case the card issuer rejects an exemption and the customer needs to provide details for authentication, especially if the customer is charged outside of an active checkout and they need to return to a website or app to complete the authentication.
When an exemption is used, fraud liability shifts to the payment provider. Payment providers with low fraud rates can exempt low-risk payments of between €100 and €500 depending on their fraud transaction rates. So payment providers need to ensure they have robust fraud protection in place.
Payment service providers in the EEA must submit evidence of their fraud transaction rates to their national regulator every 90 days.
Online merchants with low fraud rates can sign an agreement with their payment service provider to take on exemption risk. This can give merchants with effective fraud protection systems an advantage when negotiating services and fees with payment providers.
Retailers can use authentication enrichment to add extra merchant and fraud data to an Authentication Request or AReq (a message to the card issuer requesting a payment authentication). This data gives the issuer more information on which to grant an exemption or apply a frictionless authentication.
Without the data, the issuer may be more likely to apply 3D Secure to all transactions, including those that would be eligible for an exemption.
With most customer-initiated transactions coming under PSD2 requirements, the rate of card not present transactions that are declined is expected to increase. While 3D Secure 2 helps to provide seamless verification of cardholders’ details, authentication enrichment is a useful tool to provide issuers with enriched data and limit the number of declined payments.
If your business accepts card payments, it is crucial to ensure that your transaction processing complies with PSD2 regulations.
Merchant Savvy can help you ensure you’re using the right payment processor for your business needs while remaining PSD2 compliant. Contact us today to find out how.
Copyright © ALL RIGHTS RESERVED 2023
Merchant Savvy is a division of VUBO Ltd (Company Number 09017066).
Address: Spaces, 9 Greyfriars Rd, Reading, RG1 1NU.
Compare Payment Processors