Payment Service Directive PSD2

Payment Service Directive PSD2 regulates electronic credit card processing services in Europe. The regulation was enacted to increase innovation and ultimately enhance the security of payments in Europe.

With PSD2, there is strong evidence that APIs (application program interfaces) are extremely important in the world of financial services. 

As a merchant, it’s important to understand PSD2 and what it means for your business. This will help you remain compliant, make credit card processing acceptance more secure, and protect your customers.

With lots of confusion and misinformation surrounding PSD2, we decided to create an in-depth guide to provide some clarity. Let’s dive in.

What is Payment Service Directive PSD2?

The initial Payment Service Providers Directive (PSD) started back in 2007. This directive sought to promote innovation, competition, and efficiency of a single payment market throughout the European Union. 

Fast-forward to 2013—the European Commission decided to enhance the PSD objectives with an amendment to the directive (adding the “2” to PSD to get PSD2).

The new PSD2 directive was supposed to go into effect in September of 2019. But the European Banking Authority (EBA) added some exemptions and pushed the deadline to December 31, 2020. The Financial Conduct Authority in the United Kingdom set the PSD2 deadline for September 14, 2021.

PSD2 vs. PSD: What Are The Biggest Changes?

The revised directive of PSD2 is designed to align credit card processing regulations with new technology and markets. It encompasses different security requirements for initiating and processing electronic payments to protect the sensitive consumer financial data.

PSD2 also adds some regulation to third-party providers in the way they provide credit card processing services and access aggregate accounts.

In simple terms, payment technology and the fintech market have drastically changed since PSD was initially introduced back in 2007. 

In 2007, Payment Initiation Services (PIS) and Account Information Services (AIS) both existed when PSD first went into effect. But today, these two services are far more popular—-prompting greater regulation. 

A crucial component of AIS is the collection and storage of different consumer bank accounts in a single location. This allows people to have a total view of their financials, making it much easier to analyze their big-picture financial situation. 

PIS allows other service providers to facilitate online baking for online payments. With PIS services, payments can be initiated from a consumer account to a merchant account through an interface that bridges the two together. PSD2 lets clients make payments to third parties from a bank app from any client account, whether they’re part of the entity or not.

In short, PSD2 aims to encourage more competition, greater transparency, and robust innovation for payment services, especially in the ecommerce space. The directive helps facilitate consumer access to their own banking data and encourages banks to securely exchange consumer data with third parties for payment processing. 

PSD2 and Open Banking

Another simple way to describe PSD2 is open banking. In a nutshell, the directive mandates banks provide open API access to fintechs.

By moving to open banking, it eliminates barriers between competitors as banks must make account details and transaction information available through APIs with third parties. This connects banks, fintechs, and retailers. 

Any third-party provider aiming to aggregate account data or initiate payment services can’t be blocked by the bank, creating an “open banking” system.  

This initiative helps build common ground between traditional banks and newer players in the world of banking and payment services. It facilitates improved interoperability and enhanced collaboration between all parties. 

At the end of the day, all of this is supposed to create a seamless and consistent user experience across the board—with security as a top priority as well. 

PSD2 Core Principles, Security, and Regulation

Security is a top-of-mind concern for the PSD2 mandate. Some of the core principles include Transaction Risk Analysis (TRA), Risk Management, and Strong Consumer Authentication (SCA).

In efforts to protect consumers and their data, the PSD2 directive requires banks to implement multi-factor authentication for all remote transactions and proximity transactions performed on all channels. 

Two of the following three elements must be included in this authentication process:

• Knowledge — Something only the consumer knows (like passwords, PINs, codes, etc.)

• Possession — Something only the consumer has (like a physical card, token, mobile handset, etc.)

• Inherence — Something the consumer is (like biometric characteristics, fingerprints, facial recognition, etc.)

It’s important that all of these factors are mutually independent—meaning if one is breached, the others won’t be compromised.  

Banks are also tasked with finding a balance between the user experience and security practices. To ensure simplicity for consumers using digital banking, there are certain factors and exceptions where PSPs (payment service providers) don’t need to require strong consumer authentication. These exceptions typically include low-value transactions, repeat transactions, and other similar instances. 

PSD2 Compliance

What does PSD2 compliance mean if you’re a retailer, business owner, run an ecommerce website, or otherwise operate a business that accepts credit cards?

In short, there’s not a ton you need to worry about here. PSD2 compliance is largely for banks and financial institutions. 

While PSD2 is only enforced in the EAA (European Economic Area), it can still have an impact on businesses operating in the United States. The Strong Customer Authentication aspect of PSD2 applies to any merchant doing business in the EAA. So if your ecommerce website sells goods or services to consumers in the EU, you might need to adjust to remain compliant with the SCA mandate. 

Final Thoughts

At the end of the day, PSD2 is a consumer-centric directive. It’s designed to improve the end-user experience for people as they make payments and complete banking tasks. 

The open-banking APIs allow financial institutions to compete with larger banks without such extreme barriers—ultimately making things easier for consumers as well.