PSD2 Compliance: Learn What Are the Requirements
PSD2 stands for "Payment Services Directive 2" and is a directive set forth by the European Union (EU).
The first Payment Services Directive (PSD) was created back in 2007. This was the EU's effort to create a unified payment market for the EU nations.
However, as technology made leaps and bounds, the EU then realized and acknowledged in 2013 that PSD needed to be updated to keep up with the times.
What Is PSD2?
Payment Services Directive (PSD2) is the updated version of PSD. While the EU agreed PSD needed updating in 2013, it wasn't until early 2016 that they put the directive into motion. In January 2018, the EU approved the Directive and it officially went live on December 31, 2020.
In general, it is a regulation that aims to protect consumers by making payments safer and more secure. It also is intended to make the European payment market more unified and efficient. The regulation requires that Strong Customer Authentication (SCA) is implemented by issuers and merchants to keep customers secure while making and receiving payments.
SCA and PSD2 Requirements
In order for consumers to feel safer and more secure about the financial institutions, they interact with (more specifically, payment service providers or PSPs), PSD2 outlines several key requirements that entities must follow.
The compliance requirements include:
- Strong Customer Authentication (SCA)
- Open application programming interfaces (APIs) for third-party access
- More transparency
- Quick resolution of consumer complaints
- Fewer surcharges
PSD2 Regulation Explained
Essentially, the regulation scrutinizes those that can access or collect electronic payment data. The requirements are there to protect consumers by upgrading security and speeding up the processing of complaints.
The main elements of the directive are:
Strong Customer Authentication (SCA), as part of the PSD2 regulation, is required for merchants and issuers on either end of a transaction when in the European Economic Area (EEA). The authentication process for the payment should go beyond the usual, where only the information on the credit card (name, expiry date, CCV) is required. SCA requires stronger authentication, and that’s when multi-factor authentication (MFA) comes into play.
Multi-Factor Authentication (MFA) adds more layers of security by requiring users to go through multiple steps to verify that they're indeed the rightful owners of the accounts. For example, users may have to provide a PIN number, email verification, biometrics or behavior data to access their accounts.
SCA requires that PSPs require users to use 2 out of the 3 factors of authentication to log in successfully:
- Knowledge (i.e. username and password)
- Inherence (something that's part of the user; i.e. their fingerprints)
- Possession (something the user has or can send; i.e. a code generator)
All this is done through APIs, which are authenticated by PSD2-compliant certificates, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which is the successor to SSL. All data is encrypted, to ensure transactions are safely carried out.
Open APIs for Third-Party Access
PSD2-compliant banks and other PSPs must use open APIs. This facilitates open banking and more competition between PSPs, which results in competition and innovation, and better service for consumers.
These open APIs enable account information service providers (AISPs) to access consumer data if they give consent. This paves the way for increased business intelligence, which again, results in better, more tailored services for consumers. It also eliminates middlemen from transactions and makes them quicker.
Another side benefit of open APIs is it encourages innovation. Third parties will be motivated to utilize these APIs and create solutions that address consumer pain points.
Before this regulation, many PSPs had unclear terms and conditions, including for currency conversion. This made it difficult for consumers to truly understand.
PSD2 shines a light on this problem and forces entities to be clear and open about their operations. That way, users know exactly what they're signing up for.
Quick Resolution of Consumer Complaints
Many consumers get frustrated with PSPs that receive their complaints but seemingly do nothing for extended periods of time. Having money tied up can be stressful, and PSD2 aims to make entities more accountable by requiring that they handle these complaints quickly.
Not only that, but PSD2 also gives a clear set of directions for how to report issues to both customers and EU regulatory bodies. In the case where there has been a crime, PSD2 shows how to report issues to law enforcement as well.
Far too often, PSPs tack on multiple surcharges to cut down on overhead. PSD2 puts a stop to many unnecessary surcharges, such as those for credit card payments in several industries (such as food and travel).
These surcharge bans are for both B2C and B2B PSD2 payments.
Many entities outside of the EU mistakenly believe that because they're not located in an EU country, they don't need to be compliant with the regulation. But the fact is, the directive has a further reach than that.
For one, even though the UK is no longer part of the EU, PSD2 does apply to some entities there. But do note that the UK didn't sign onto all provisions, nor did they comply with transparency regulations.
Any PSP that deals in transactions that involve banks from the EU or European Economic Area (EEA) must comply with PSD2. This includes both payments sent and received.
Is PSD2 applicable in the US?
This regulation was supposed to go into effect on September 14th, 2019. However, it was pushed back by the European Banking Association (EBA) to December 31, 2020.
Since any mobile app sending or accepting payments from the EU should be compliant, it is important to be on the lookout for the PSD2 requirements and regulations, and fraud solutions that also comply with it.