On September 14, 2019, the new security standards established by the PSD2, the second Payment Services Directive, will come into force. This will replace the PSD1, which has itself been in force for ten years. Version two will encourage us to change our habits and improve security for consumers, banks, and service providers alike.
First milestone with PSD1
The first version of the Payment Services Directive (PSD1) was designed by the European Union to regulate payment services. The provisions apply to all Member States of the EU, as well as the European Economic Area (EEA), and entered into force in December 2009. The aim of the legislation was to encourage competition between banks and service providers in Europe, so they could offer the very best services and therefore protect consumers.
What PSD1 introduced
- improved the security of online payments and transactions, limiting the risk of fraud (including identity theft);
- introduced and regulated the formal status of Payment Service Provider (PSP), such that companies other than banks, central banks, and government agencies now have the right to conduct financial transactions;
- laid down the transparency required from banks and PSPs over their services, lead times, and fees;
- sped up the creation of the Single Euro Payments Area (SEPA), making bank transfers and direct debits in the EU and EEA easier and less expensive.
PSD1 becomes outdated
Over the ten years that the PSD1 was in force, the regulations became outdated, as new intermediaries emerged, such as fintechs, which started to offer innovative services and payment means as well as lower prices, taking advantage of mobile and web applications. Now, electronic transactions are becoming more and more widespread, resulting in growing uncertainty regarding the security of payments and other online operations (with identity theft being the top concern).
Security at the heart of the new version
Data security and confidentiality have become the main concern for everyone, in both B2B and B2C transactions. According to the standards laid down by the PSD1, a low level of authentication was acceptable. But with more and more new means of payment, new stakeholders, and new products and services coming to the market, the potential for fraud and loss of transparency are on the rise.
Unfortunately, the PSD1 does not impose any requirement regarding the level of verification of an identity during a payment or a transfer. A simple password or a secret question are enough to comply with the regulations. But that isn’t enough anymore.
Now, if users, banks, and service providers want to ensure privacy and security for their transactions, they need to go through strong authentication. A digital identity needs to be verified at least twice in order to authorize a transaction, thus maintaining mutual confidence. And out of that, the PSD2 was born.
Strong authentication under PSD2
Whether it’s a purchase, an administrative procedure, or a data exchange, there needs to be a guarantee that the party at the other end of the transaction is the individual or company that they say they are. That is why strong authentication will become mandatory from September 2019.
Strong authentication is also called multi-factor authentication, and there is nothing more secure than that today. Users will now have to prove their online identity through a minimum of two factors, not just one as under the PSD1. At least two of the following three pieces of evidence are required:
- something only the user knows (their password, answer to a secret question, etc.)
- something only the user possesses (an electronic device such as a smartphone, computer, USB key, smart card, magnetic card, or electronic certificate)
- something the user is (using their physical or behavioral biometrics by identifying a trait that is unique to each individual, such as through a fingerprint or retinal scan, or voice or facial recognition).
There are other authentication factors under development, such as geolocation and behavioral profiling, but these are not yet used widely enough.
Exemptions granted under PSD2
However, the PSD2 does allow an exemption to strong authentication, depending on the level of risk, the amount to be paid, or the frequency of the payment. Specifically, this covers low-risk or low-amount transactions (under €30), payments by company card, subscriptions and recurring payments, MOTO transactions, white lists, and interregional transactions.
A new dynamic in secure communications
With the PSD1, strong authentication was optional. By making it mandatory, the PSD2 is ensuring that payment systems are fit for the future.
On the consumer’s side
For consumers, the second version of the PSD:
- bans additional charges,e. surcharges on payments by bank card for online purchases as well as in-store;
- helps to restore consumer confidence in purchasing goods and services online, as with more and more people using instant, mobile, and contactless payment, PSD2 helps us to fight against fraud more effectively and confirm the user’s identity regardless of the type of the transaction (locally or remotely) and the means used.
According to Vice-President of the Commission in charge of Financial Stability, Financial Services, and Capital Markets Union, Valdis Dombrovskis, “This could save more than €550 million per year for EU consumers.”
Consequences for banks and service providers
As for banks and new fintech players, the PSD2:
- continues to promote further innovation;
- strengthens competition with new service providers (including the famous fintechs) more so than the PSD1 did;
- requires banks and payment service providers to share their transaction data. If customers want to move their accounts to new financial operators, this must be made easier. The PSD2 therefore promotes fair competition better than the PSD1 did, in a market that is constantly evolving.
Taking new services into account
Needs and technologies have evolved considerably since the PSD1 was drafted. The new rules under version two of the directive, including making data exchanges easier, regulate two new types of payment services:
- Payment Initiation Service Providers (PISPs): new players that can now initiate payments on behalf of the user. This means that, instead of issuing the payment order to their bank, users can go through the PISP, which will send the request to the bank itself.
- Account Information Service Providers (AISPs): players that provide users with consolidated information on their payment accounts. Users can view balances and transactions of one or several accounts from different banks through a single interface (application, web portal, etc.).
Supporting new infrastructure
To make this all work, banks and PSPs are required to install new infrastructure, which marks a major change since the days of the PSD1. To comply with this, banks and fintechs must:
Communicate via APIs
Application Program Interfaces (APIs) provide a secure communication channel. Banks and fintechs must therefore adapt their computer structures accordingly. APIs allow payment service providers to access consumers’ banking details and/or authorize transactions.
Obtain the appropriate electronic certificates
Electronic certificates allow data to be sent and received securely between the bank’s servers and those of the PSP (or the information aggregators). Two types of certificates are required by the PSD2:
- eIDAS QWAC (Qualified Website Authentication Certificate), which enables the PSP’s and the bank’s servers to authenticate each other
- eIDAS QSEAL (Qualified Electronic Seal Certificate), which enables the PSP’s and the bank’s servers to secure the contents of a transaction.
These certificates also ensure communications are traceable.
The eIDAS label is the best guarantee of quality and security for electronic identification, trust services, and sending and receiving digital documents. Only services providers approved in Europe, or Qualified Trust Service Providers (QTSPs), can issue QWAC and QSEAL certificates.
The PSD2 strengthens the principles laid down by its predecessor, the PSD1. Sending and receiving information between consumers, banks, and PSPs is made even easier, while security has been made even tougher. With certificates required by the PSD2 and issued by Trusted Third Parties, you can preserve your business’s digital identity and ensure your reputation remains intact.