What is PSD2?
The Second Payment Services Directive, otherwise known as PSD2, is an EU Regulation. It aims to harmonise the operations of payment services in the European Economic Area (EEA).
In this article, we’ll demystify PSD2 and explain how its requirements are relevant for your business, and what actions you should take next.
PSD2 has been designed to increase competition by creating a level playing field for both banks and non-banks. It removes the monopoly banks have on the use of customer data, allowing other businesses to use that data as well, with the customer’s permission. For example, when shopping online, an e-commerce provider can retrieve a customer’s bank account data and take their payment without having to redirect them to another service, such as PayPal. This creates a faster and more streamlined payment experience for the customer.
It builds on the original Payment Services Directive (PSD), introduced in 2005. The new iteration brings important changes for businesses that take payments from customers in the EEA.
PSD2 has existed since 12 January 2016. EU countries had until 13 January 2018 to incorporate it into national law.
What is the difference between Open Banking and PSD2?
Open Banking was introduced by the Competition and Markets Authority, as a result of the requirements of the wider PSD2 legislation. Open Banking aims to increase competition, specifically in the UK market, by allowing non-bank Payment Service Providers (PSPs) to access customer transactional data, with their consent.
The difference between Open Banking and PSD2 lies in how the banks open up their data to third parties. PSD2 simply requires them to do so, while Open Banking specifies a standard format for the process. An example of Open Banking is a money management dashboard that combines multiple bank accounts for an overall picture of a person’s financial health. Open Banking is also useful for lending, where customers can provide their financial information online in order to be approved for a loan more quickly.
Open Banking also improves the online payments process, allowing customers to make payments directly from their bank account, which can directly authenticate the transaction.
PSD2 and Strong Customer Authentication
Under PSD2, online payments will require more stringent customer authentication, for numerous kinds of transactions including high-value and recurring payments.
This is known as Strong Customer Authentication (SCA), and it is designed to enhance customer protection.
SCA, which came into force on 14 September 2019, is an essential feature for any merchant that accepts customer payments online from within the EEA.
SCA is designed to keep customers safe online in this new era of increased openness. Previously, it was common for customers paying online to identify themselves with a username and password. But this was a cumbersome method, with users often forgetting their information.
SCA now requires customers to identify themselves with two out of three categories:
Something they know (e.g. password, PIN, mother’s maiden name)
Something they possess (e.g. two-factor authentication, secure key)
Something they are (e.g. fingerprint or retina scan)
Previously only the first of these categories was required; typically a password.
What does PSD2 mean for customers?
PSD2 was designed to improve the customer payment experience, so it should have positive implications for those who make transactions online. For customers, PSD2 brings more confidence in staying safe online, while also benefiting from the ease of a more streamlined transaction process.
The impact of PSD2 for businesses
The main impact of PSD2 regulations will involve the mandatory use of SCA. This is absolutely vital if your customers pay online by credit or debit card.
Though the ‘responsibility’ to implement SCA lies with your payment service provider, you need to be aware of how SCA is likely to impact your business:
Risk of drop off: In theory, SCA aims to strengthen customer confidence in online shopping by cutting fraud. As a business, you’ll need to balance this new layer of customer security with ensuring their buying experience is as streamlined as possible. Getting the buying process right while maintaining PSD2 and SCA compliance is not always easy. Anything less than a smooth buying experience risks frustrating your customer and leading them to abandon purchases.
Shifts in chargeback liability: This shift is likely to benefit you as the merchant, especially if you use 3DS2 to meet SCA requirements. The card issuers have agreed to take on chargeback liability as an added incentive for merchants to use 3DS2. You can read more about this in our guide to 3DS2.
Added resource burden: Making changes to your payments process to accommodate SCA regulations can be burdensome for your business, as you’ll need to set aside time, money and expertise to make sure it’s done correctly.
For more information on using SCA, we’ve produced a detailed guide.
If you take recurring payments from your customers, using Direct Debit (sometimes referred to as bank debit) can help you avoid these issues. A paperless Direct Debit service, which GoCardless offers, is not within the scope of SCA. GoCardless is already fully compliant with all aspects of PSD2, so your business can process recurring payments without worrying about being in breach of the new regulations.