PSD2: what does the new EU directive on payment services involve?

Consumer protectors and many politicians at European level are trying to make purchases and payments on the Internet more secure for buyers. In addition to banks, a number of other payment service providers now play an important role in e-business. This is because suppliers like PayPal offer traders and users practical solutions to facilitate payment processes. It is always important that comfort does not come at the expense of safety.

PSD2: what does the new EU directive on payment services involve?

The European Commission has set binding guidelines to prevent consumers from being forced to work with companies of dubious reputation. Now they have been updated: what should online stores and users prepare for in the future?

PSD2 directive: what is it?

The first version of the directive was adopted by the EU already in 2007. The Payment Service Directive (PSD) will - and should still - regulate payment transactions at European level by companies that are not considered traditional banks. The objective is to allow other companies and banks to offer payment services via the Internet and thus to stimulate and at the same time regulate competition in this area of ​​the financial sector.
The Payment Services Directive 1 & 2 pursue different objectives:
  • Open to competition in payment services
  • Reduce costs for consumers
  • Control and strengthen financial technology startups (abbreviated as Fintech)
  • Ensure greater security when paying on the Internet

Stories of payment services policies: from PSD1 to PSD2

With the first version of the payment services directive, the European Commission has taken an important step towards regulating international payments. In order to standardize European payment transactions, the PSD is able to provide a legal basis for suppliers in this area. Today as then, this refers explicitly to suppliers that do not come from the banking sector. The monopoly of credit institutions on payment transactions was therefore broken by the PSD.
However, not all companies can act as a so-called payment institution. The Payment Services Directive has established binding criteria that this provider must satisfy. However, despite many clear rules, some uncertainties remain and the room for maneuver remains open; some of these problems were born with the directive.
With the PSD2, the EU is now trying to overcome these legislative gaps as well as achieving even more safety for consumers. For example, this can be achieved by issuing certificates and binding seals, which can only be recognized by recognized organizations. Furthermore, companies must be authorized by the national financial supervisory authority.

Payment Services Directive 2 in detail

The second version of the payment services directive had already been decided in 2017. The PSD2 will become binding from 2019 (the deadline is September 14th). One of the most important innovations, which some consider a real revolution, is the fact that banks must now provide other companies with access to their customers ' information. But of course only if the respective customer has given his consent.
Banks will soon have to offer an interface to authorized suppliers to allow them to initiate bank transfers directly and also to retrieve information on user account balances and other financial details. But why is it so important? And why should companies be able to do this?
In the past, many consumers have already made use of these services without universal and binding rules. In particular, in the fintech sector, some companies offer interesting software with which users can manage their assets. Savings applications, insurance underwriting or stock exchange speculation need information from the bank. Following the PSD2, banks are obliged to offer companies with the appropriate certificates an interface through which service providers can retrieve the necessary information and make payments or transfers.
Even with the PSD2, companies cannot arbitrarily access your sensitive financial data. In addition to official approval, the services need your explicit consent to receive data from your bank.
Service providers had access to information from the bank account previously, but there was no uniform access and each country had different interfaces that allowed the provider to extract all the information from the online banking provider's website. This procedure, however, is not particularly efficient and is subject to errors. With the PSD2 the banks are obliged to provide an Access to Account (XS2A), through which the suppliers gain access.
The PSD2 also offers solutions that will allow the transmission of sensitive data through interfaces without risk to the consumer. The data security should be guaranteed by two different means:
  • QWAC: through this certificate, the bank and supplier should identify with each other. Furthermore, QWAC encrypts the transmitted data.
  • QSiegel: the seal is attached to the data and is assigned to a company. In this way, it is possible to see later which companies have accessed the bank account and transferred the data through the interface. Furthermore, the seal ensures that any data changes do not go unnoticed.
In order to apply for such licenses or seals, suppliers must obtain the approval of a national supervisory authority. The PSD2 establishes that it is possible to obtain two different licenses:
  • Account information service: Service providers in this category are interested in receiving information from the customer's bank account to use them. In this case, only registration is required and no license is required.
  • Payment initialization service: the company with this license can make payments or transfers on behalf of the client.
Unlike in the past, national supervisory authorities are now closely examining third-party providers before they are allowed to receive useful information. The regulatory authority examines the entire company structure, examines what internal controls are in place, how crises are managed and how the company is cautioned. This is a particular obstacle for start-up small businesses but is in favor of consumer protection.

What changes for customers and online store managers?

The new payment services directive mainly concerns banks and other service providers in the financial sector. Normal users suffer the slightest part of the changes that are made in the background. And even for online merchants, the changes are few.
The PSD from the user's point of view
The second version of the PSD promises the online buyer greater security in payment. Licensing for technical solutions, as well as inspection by supervisory authorities,  ensure more reliable protection of sensitive data. However, it is likely that from the consumer's point of view this simply translates into the obligation of two-factor authentication. In the future, customers must confirm the payment through a second method and identify themselves to the site. This can be done, for example, via an SMS with a TAN. The customer must then enter the code received during the payment process to complete it. Identification by fingerprint is also theoretically possible.

With the introduction of two-factor authentication, the iTAN lists for online banking, which have become obsolete in the meantime, are eliminated. Also, in this case, the banks will rely in the future on SMS, apps or special TAN devices.

The customer can also count on lower prices, as online merchants are no longer authorized to charge additional fees for certain payment options (such as a credit card).
It can be assumed that in the future with the PSD2 a much larger number of companies will be involved in the financial sector. One wonders if big companies like Amazon or eBay will enter the sector. These online markets could then charge the costs directly to the account, rather than making the deviation by direct debit.

Online merchants and PSD2: what should you pay attention to?

Many aspects of the Payment Service Directive 2 have to do with technical implementation and many online merchants, therefore, wonder what needs to change in their system. After all, payments made through an online store must now be guaranteed by two-factor authentication.
This constraint derives from the Strong Customer Authentication (SCA) required in the PSD2. Customers must authorize the transfer of money through at least two factors: knowledge (eg password or PIN), possession (eg card or smartphone) or inheritance (eg voice or fingerprint). This applies to all sums over 30 euros. If several purchases in a day exceed the total value of 100 euros, the 2FA is necessary, even if the individual payment items are below the threshold of 30 euros.
To make payments, online store operators usually work with a partner. The partner must implement the PSD2 requirements in their system. For example, credit card companies have developed a new version of 3D Secure. Merchants working with e-commerce just need to make sure their store applies the security procedure correctly.
The requirements of SCA do not explicitly apply to direct debit. This is a full payment, meaning the seller asks the bank for the money. The secure procedure is only for push payments, ie when the customer directly initiates a payment.
NB Two-factor authentication must be implemented in online stores by September 14, 2019.
Other important news for online merchants: the so-called surcharge is no longer allowed. Previously it was common for merchants to apply a surcharge on the purchase price, for example for credit card payments, because they involve additional costs for the merchant. Merchants are not authorized to charge additional fees for payments via PayPal.

Post a Comment