PSD2: What does the Payment Services Directive mean for you?

Consumer advisors and many EU politicians are trying to make buying and paying on the internet safer for buyers. In addition to banks, a number of other payment service providers now also play a major role in e-business since providers like PayPal offer store operators, and also buyers, practical ways to facilitate the payment process. Comfort should come at the expense of security, however.

The European Commission has introduced mandatory guidelines so that consumers do not have to deal with untrustworthy companies. These guidelines have now been updated. What do online store owners and buyers have to be prepared for from now on?

PSD2 regulation: what is it?

The EU adopted the first version of the regulations in 2007. The Payment Service Directive (PSD) should - and should continue to - regulate Europe-wide payment transactions by companies that are not regarded as traditional banks. The purpose of this is to enable other companies, as well as banks, to offer payment services via the internet, thereby boosting and, at the same time, regulating competition in this area of the financial sector. For US customers, this also means that any transactions made in Europe will also be more secure.

Payment Services Directive 1 & 2 therefore serve different purposes:

  • Promote competition in payment services
  • Reduce costs for consumers
  • Control and strengthen financial technology start-ups (FinTech, for short)
  • Create more security when paying on the internet

History of payment services policies: From PSD1 to PSD2

With the first version of the Payment Services Directive, the European Commission took an important step towards regulating international payments. PSD created the legal basis for service providers in this sector and aimed to harmonize European payment traffic. Back then, just as it does now, this referred explicitly to providers who did not come from the banking sector. The monopoly of credit institutions on payment transactions was therefore broken by PSD.

However, not every company can act as a payment institution. The Payment Services Directive laid down compulsory guidelines that these providers must meet. However, in spite of the many clear rules set out, there were still some uncertainties - the Directive even created some problems itself.

With PSD2, the EU is now attempting to clear up these uncertainties and to strengthen security for consumers. This works, for example, by issuing mandatory certificates and seals, which can only be obtained from recognized organizations. In addition, companies require approval from the national financial supervisory authority.

In order to protect your privacy, the video will not load until you click on it.

Payment Services Directive 2 in detail

The second version of the Payment Services Directive was adopted as early as 2017, but will only be binding from September 14, 2019, after the transition period has expired. One of the most important innovations - which some see as a revolution - is the fact that banks now have to provide other companies with access to their customers’ information. But only if the user has given their consent, of course.

Banks will soon have to provide authorized providers with an interface to enable them to initiate transfers directly and also to retrieve information on users’ account balances and other financial details. But why is this so important? And why should this be made possible for companies?

In the past, many consumers were already using services like these, without the need for these mandatory rules. Particularly in the FinTech sector, there are some companies that provide software which users can use to manage their finances. Apps for saving, taking out insurance, or for information on the stock exchange need bank information. As a result of the PSD2, banks are obliged to provide companies possessing the correct certificates with an interface that service providers can use to retrieve the required information and make payments or transfers.

Note

Even with PSD2, companies cannot arbitrarily access your sensitive financial data. In addition to official approval, service providers need your explicit consent in order to receive data from your bank.

Although service providers used to be able to access information from bank accounts before, they did not have standardized access. Some countries have created a standardized interface in the meantime, but back then, companies were internationally dependent on a technology called screen scraping. For this procedure, the service provider extracts all information from the online banking provider’s website. This is not very effective and also prone to errors. Since PSD2, banks have been obliged to set up an Access to Account (XS2A) which service providers can use to gain access.

PSD2 also offers solutions to ensure that the transfer of sensitive data via the interfaces will be carried out without any risks for the consumer in the future. The security of the data is guaranteed by two different means:

  • QWAC: This certificate is used by the provider and the bank to identify each other. QWAC also encrypts the transmission of data.
     
  • QSEAL: The seal is attached to data and assigns it to a company. This makes it possible to later track which companies accessed the bank account and transferred data via the interface. In addition, the seal guarantees that data cannot be secretly altered.

In order to apply for these certificates or seals, suppliers need the approval of a national supervisory authority. National supervisory authorities now scrutinize third party providers very closely before they are allowed to receive user information, which wasn’t the case in the past. The supervisory authority examines the complete company structure, pays attention to what internal controls there are, how crises are dealt with and how the company is protected. This is mainly a hurdle for small start-ups, but it is beneficial to consumer protection.

What changes for customers and online store owners?

The new Payment Services Directive largely concerns banks and other financial service providers. Users won’t notice a lot of the changes going on in the background. And even for online retailers, there are very few changes.

PSD2 from the user's point of view

The second version of the PSD promises the online buyer more security when paying. Both the granting of licenses for technical solutions as well as the inspection by supervisory authorities ensure that sensitive data is more reliably protected. However, users will notice the obligatory two-factor-authentication immediately. In the future, customers will have to confirm a payment using a second method and therefore identify themselves on the website. This works, for example, via SMS with a TAN. The customer must then enter the code received during the payment process in order to complete the process. Identification using fingerprints is also theoretically possible.

Fact

The introduction of two-factor authentication will also replace the iTAN lists for online banking, which have become obsolete in the meantime. Banks will rely in future on SMS, apps, or special TAN devices here as well.

The customer can also expect lower prices, as online retailers are no longer allowed to charge additional costs for certain payment options (such as credit cards).

It is expected that far more enterprises will get involved in the financial sector in the future thanks to PSD2. There is already speculation as to whether large corporations such as Amazon or eBay will enter the sector. These online marketplaces could then debit the costs directly from the account by placing an order instead of taking the long route via direct debit.

Online retailers & PSD2: What do they have to pay attention to?

Many aspects of the Payment Service Directive 2 have to do with technical implementation and because of this many online retailers are asking themselves what changes they need to make to their system. Payments made via an online store must now be secured by two-factor authentication.

This constraint results from the Strong Customer Authentication (SCA) required in PSD2. Customers must authorize the transfer of money via at least two factors: knowledge (e.g. password or PIN), possession (e.g. card or smartphone), or inertness (e.g. voice or fingerprint). This applies to all sums over 30 Euros ($34). If several purchases exceed a total value of 100 euros ($113) within one day, the two-factor authentication is necessary even if the individual items fall below the threshold of 30 Euros ($34).

In order to execute payments, online shop operators usually work together with a partner that should implement the requirements of PSD2 into the system. In the meantime, credit card companies have developed a new version of 3D Secure. Store owners in e-commerce then only have to make sure that the security procedure is correctly installed in their store.

The requirements of SCA do not explicitly apply to direct debiting. This is a pull payment - the seller requests the money from the bank. However, the secure procedure is only intended for push payments, i.e. when the customer initiates a payment directly.

Note

The two-factor authentication must be implemented in online stores by September 14, 2019.

The other important innovation for online retailers: surcharges are no longer permitted. Previously, it was common for retailers to charge a surcharge on top of the purchase price, for example for payments by credit card, as this would incur additional costs for the retailer. Store owners are also not allowed to charge additional fees for payments via PayPal. The payment processor forbids this in their general terms and conditions.

Click here for important legal disclaimers.

1