The new regulations aim to enhance payment security and transaction transparency. While the PSD2 contains various measures, some of them have a more significant impact on businesses.
For card-not-present transactions, the PSD2 enforces strong customer authentication (SCA), i.e. two-factor authentication. Thus, if businesses want their consumers’ banks to accept transactions, there should be an extra step, namely 3D Secure – a three-domain model for card fraud prevention.
However, there is one downside of the additional action during payments, such as SCA. It may cause a drop in sales. Many buyers don’t want to wait until the code is sent to their smartphones. So, that’s where they can switch to another merchant. But that rarely happens as 3DS is a commonly-used countermeasure when it comes to online shopping.
Exemptions for the SCA requirement include:
- trusted sellers – beneficiaries can be whitelisted by users and not subject to SCA;
- recurring transactions – subscriptions or regular billings will only need to be authenticated once;
- low-value transactions – payments under €30; in some cases, such as every sixth payment, although banks may still require SCA;
- low-risk pays – this includes cases when the provider has been deemed to have low fraud rates.
Payment initiation and account information service providers
Banks are obliged to provide access to payment accounts to third parties by API: payment initiation service providers (PISPs) and account information service providers (AISPs).
The critical points of PISPs are:
- third-party providers perform credit transfers through their IT infrastructure/applications;
- the rules apply to payment accounts which are accessible online;
- contractual relations between PISPs and payment institutions cannot contradict the PSD2;
- a payer must give explicit consent for the payment to be executed.
Prior to the PSD2, the infrastructure of accounts servicing payment services providers (ASPSP), and the access to a payer account was limited to online banking websites/apps, branches and terminals. Now, the updated technical standards help businesses develop, broaden or redesign their existing offerings by opening up these services to third parties.
Account information aggregation through AISPs poses certain risks:
- perceived IT security flaws;
- possibilities of fraud;
- liabilities related to unauthorised transactions.
Therefore, the rules must be matched with regulatory and market solutions – such as payments account directives (PAD), interchange fee regulation (IFR), anti-money laundering directives along with real-time payment, blockchain, etc.
Additions to the registration requirements
Organisations that provide payment transaction services will have to obtain licenses and become EBA-authorised (European Banking Authority) institutions. The authorisation is granted by competent authorities varying from country to country.
The requirement to register covers the following natural or legal persons:
- payment institutions;
- agents acting on behalf of payment institutions;
- branches of payment institutions in the Member States;
- electronic money institutions;
- account information services.