The Payment Services Directive (PSD2) aims to harmonize the rules on payments within the European Union (EU), while taking into account the latest advances in technology. The legislation also introduces new security requirements.
With more and more users expecting to make payments instantly on their mobile devices and by contactless, the directive seeks to “boost innovation, competition, and efficiency”, according to the European Commission. At the same time, the legislation intends to “modernize payment services in Europe for the benefit of consumers and businesses alike and keep up with this rapidly changing market”.
PSD2 is the second version of the Payment Services Directive. The first version created the conditions allowing further integration of the internal market for payment services. However, legislators believed that it needed to go further, particularly in terms of security. The second version of the text was adopted on November 25, 2015, and entered into force throughout the EU on January 13, 2018. Some provisions, though, will only come into force in 2019.
“The EU payment services market remains fragmented and expensive, costing €130 billion, or over 1% of EU GDP, a year. The EU economy cannot afford these costs, if it wants to be globally competitive,” said MEP and rapporteur Antonio Tajani during the vote on the directive in 2015. “The new regulatory framework will reduce costs, improve the security of payments, and facilitate the emergence of new players and innovative new mobile and internet payment methods.”
Tackling emerging security threats
The main measures introduced by the PSD2 are:
- Banning surcharges, i.e. supplements when paying by credit or debit card, whether in-store or online
- Opening up the EU payment market to businesses offering payment services, giving them access to information on payment accounts
- Laying down strict security requirements for electronic payments and protecting consumers’ financial data to reduce fraud in e-commerce, by requiring strong authentication for online payments of more than €30, for example.
Strong authentication required from September 2019
The directive includes strict security rules to significantly reduce payment fraud and protect the confidentiality of users’ financial data, which is particularly important for online payments. Strong two-factor authentication as a minimum is part of a package coming into force from September 2019. Before the directive applied, this technique was merely recommended, but will now become obligatory. To protect consumers, PSD2 requires banks to implement multi-factor authentication to verify the user’s identity for all transactions made, whether in person or online, whatever the channel used. With a clear objective to strengthen data security, PSD2 requires communications between the servers of different parties in the value chain to have back-end protection, in the form of electronic certification.
PSD2 : another step toward a digital single market
“This legislation is another step toward a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. With PSD2 becoming applicable, we are banning surcharges for consumer debit and credit card payments. This could save more than €550 million per year for EU consumers. Consumers will also be better protected when they make payments,” announced Valdis Dombrovskis, European Commissioner for Financial Stability, Financial Services and Capital Markets Union.