What is PSD2 regulation and what is the impact?
If you work within the EU and EEA you must have noticed the number of regulations that as a merchant you’re obliged to follow. To bring up some order in the situation, today Maxpay‘s team is talking about the PSD2, explaining the compliance, innovation for the online payments, and main impacts on the eCommerce industry.
What is the PSD2
PSD2 stands for the Second Payment Services Directive which is a lawful regulation set to strongly impact the financial institutions that have access to the payment data of a customer.
The Second Payment Services Directive was established in 2018 by the European Commission or Directorate General Internal Market, with the goal to regulate payment services along with payment service providers within the European Union and European Economic Area as well. The regulation applies to payments within the EU and EEA, but not to transactions to or from other countries.
We recommend you to check on other powerful EU regulations that apply not only to merchants that operate within the EU and EEA but to all the merchants that deal with cardholder data of EU citizens “GDPR: what need to know for eCommerce businesses”.
PSD2 countries: full list
The countries that are obliged to comply with the Second Payment Services Directive are the countries of the European Union and European Economic Area, Monaco, and the UK.
The full list of the PSD2 countries: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Monaco, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, the UK.
Objectives of PSD2
PSD2 compliance is mandatory for financial institutions such as payment service providers, banks, and others that offer payment services, and so a merchant must carefully choose a payment provider if working in the EU or EEA areas.
There are several reasons why the Second Payment Services Directive was created and became mandatory for all the institutions that it refers to:
- Establishing technical regulations for strong customer authentication;
- Establishing common and secure open regulations of communication;
- Offering higher protection from fraudulent actions in the field of online payments;
- Protecting cross-border European payment services and making them safer;
- Promoting both the development and utilization of innovative online payments and mobile payments.
Besides that, we advise you to read about one more set of requirements: “PCI DSS compliance frequently asked questions”.
Open banking is one of the new implementations of the PSD2 that involves all the banking institutions, and it is reshaping the whole industry. Before only banks were able to access the data of customers’ banking, transaction information, and other financial data from banks, as well as from non-bank financial institutions.
With open banking, a customer can give applications and outside tools direct access to the banking information. This can be utilized in various payment services such as financial planning, account management, automated payments, and others.
Strong customer authentication
Strong customer authentication or SCA obliges a merchant to supply card issuer companies with two-factor authentication at the time of a transaction. The new system requires a transaction to be authenticated with at least two of the next three parameters:
- Something the customer knows. This refers to the code-like information that a customer can generate, for example, a password, PIN code, or security question.
- Something the customer has. This refers to the device that can provide identity verification, for example, a phone or a smartphone, laptop, or hardware token.
- Something the customer is. This refers to the biometrical data that can be captured by the device for example a fingerprint, recognition of the face, or iris scan.
Strong customer authentication is valid in the case when both the merchant and issuer are located in the area of the European Union or European Economic Area.
Let’s see the following cases when the SCA is not applied/applied partially.
- Trusted beneficiary exemption. Customers can create a special list, filling in merchants’ IBAN data of all the businesses they trust, and forward the note to an issuing bank. The main goal is to obtain a seamless customer experience by allowing customers to trigger the inclusion to the Trusted Beneficiary List when registering, or during a first transaction, that would require an SCA. But every bank still has an option to decide if it prefers to deliver the status of the beneficiary, and so the process is unclear at the moment.
- Low-value transactions. A low-value transaction is a payment that in total is less than 30 euros. Note, that SCA starts applying when more than five transactions of low-value were performed in a row.
- Recurring payments. Any merchant that offers a service or a set of products that should be paid using a subscription model must apply Strong customer authentication during the first transaction. Then, if it is a recurring payment, SCA is not needed. If the subscription payment requires different amounts of funds, the Strong customer authentication can be applied as well unless another exemption should be in favor.
Common and secure communication
In PSD2 compliance the common and secure communication or CSC refers to certificates that are requested for website authentication and electronic seals that are used for communication between financial services parties. There are also special technical specifications that define the regulation of implementation.
Impacts of PSD2 on marketplace businesses and eCommerce
All the market places within the European Union and European Economic Area are directly affected by the PSD2 regulations. The merchant obtains an agreement with a certain payment provider which must be PSD2 compliant. To comply with the Second Payment Services Directive issuing banks must refuse non-compliant payments and transactions. And for the merchant to avoid the case of issuing banks refusing the transactions, a merchant must be sure that all the transactions do comply with PSD2 regulations.
The Second Payment Services Directive is stimulating the European financial industry to unite by establishing a single payment space around the European Union and European Economic Area. The main motivation behind the movement was the opportunity to command the open banking regulation in the EEA.
Open banking is based on the idea of innovating the financial sector by merging a system of traditional banking with fintech startups, and other innovative technologies. Open banking implements the most recent standards of data privacy by bringing up a huge input to open-source technology. It makes the API usage open for the integration with third-party applications and servers by the customers’ demand.
Maxpay is a payment gateway service provider that also offers merchant services for various businesses. We help companies with merchant account opening, provide payment gateways, protect merchants from fraud using the AI-powered anti-fraud platform Covery, and monitor chargebacks. And besides that, Maxpay is PSD2, GDPR, and PCI DSS compliant. To find out more, contact the sales department.