September 14, 2019 is the deadline by which all payment service providers within the European Union must comply with PSD2’s Regulatory Technical Standard (RTS) pertaining to the requirements of the revised Payment Services Directive (PSD2). In this post, we cover some of the main issues related to PSD2’s purpose, how to determine whether it applies to you, and key requirements for compliance and security.
The goal of the revised Payment Services Directive is to support innovation and competition in retail payments while enhancing the security of payment transactions and the protection of consumer data.
Many companies outsource all payment services to third-party companies like Stripe, Inc. If your company is one of these, you are responsible for making sure that the third party is compliant with PSD2. Most third-party companies will offer updates to ensure that they are aligned with this regulatory technical standard. With online payment service providers offering updates, however, companies like yours may be unclear as to whether they should pay the associated costs and update their third-party service provider application. So before jumping the gun and possibly having to pay a third-party service provider so you can utilize their updates, be sure that your payment service provider is within scope of the directive, or you could end up interrupting services and updating to unnecessary features.
Applicability of PSD2
The directive only applies to payment services in the European Union and European Economic Area. Thus, if neither your organization nor your third-party payment service provider is based in the EU or EEA, you are exempt, and there is no need for you to update services to comply. However, if you are a payment service provider located in the EU or EEA or your payment service provider is based in the EU or EEA, you must comply by September 14, 2019.
Strong Customer Authentication (SCA)
Payment service providers are required to have Strong Customer Authentication for the initiation and processing of online payments. SCA ensures that electronic payments are made using multi-factor authentication (MFA) to increase security. Strong Customer Authentication requires two or more of the following:
- Knowledge (something only the user knows, e.g., a password or a PIN)
- Possession (something only the user possesses, e.g., a payment card or an authentication code generating device)
- Inherence (something the user is, e.g., voice recognition, finger print, etc.)
For remote transactions, such as online payments, the security requirements go even further, requiring a dynamic link to the amount of the transaction and the account of the payee, to further protect the user by minimizing risks in case of mistakes or fraudulent attacks.
Exemptions From Strong Customer Authentication
If your company is within the scope of PSD2, it’s important to note that the directive exempts specific low-risk payments from Strong Customer Authentication. Exemptions for online businesses include but are not limited to:
- Low-risk transactions (where the online payment provider’s fraud rate is below a certain threshold)
- Low value payments (i.e., below 30 euros)
- Fixed amount subscriptions (i.e., where the customer makes a series of recurring payments for the same amount to the same business). The directive will apply to the first payment; however, subsequent payments may be exempt from SCA.
- Mail order and telephone orders
- Situations where the merchant applies recurring payments agreed to ahead of time between the provider and the payer. SCA would not be required in this example in order for that transaction to complete because it is not customer initiated. It is merchant initiated and the customer is not present.
Third-party providers will automatically apply the appropriate exemption based on the transaction, which is a great feature to utilize and update to if you are outsourcing these payment services.