Understanding Payment Service Directive (PSD2) and Strong Customer Authentication
In order to ensure that merchants, card service providers, banks and customers remain protected, it is vital to set forth a strong and dynamic set of standards and regulations. While they have been in place for several years in the form of the Payment Services Directive (PSD), it is only recently that these protocols have been updated and refined into what is known as the PSD2. By April of 2020, all retailers doing business in Europe will be required to comply with the updated regulations, including implementing strong customer authentication (SCA) procedures.
History Of PSD
In December of 2009, the original PSD went into effect. Pertaining to companies that do business in all EU and EA member states, the directive was put into place to regulate payment services and providers as well as to bolster benefits to customers. It had three objectives: to enhance the rights of consumers, especially in the areas of transaction transparency and refund rights, to be a catalyst for competition in Europe and to improve quality. Before PSD, only banks and government agencies were allowed to provide payment services, but this directive expanded the role to include an entirely new generation of financial technology (FinTech) companies. These entities utilize mobile applications, online platforms and other technologies to offer innovative and affordable payment options and programs to their customers. Furthermore, it stipulated all providers must be totally transparent about their exchange rates, services, and fees. Finally, it took advantage of the recently implemented single euro payment area (SEPA), making the payment process flow more smoothly for all parties.
The Introduction Of PSD2
PSD2 builds upon the foundation of PSD and sets the stage for important changes and improvements to the payment and banking industries. This is accomplished through the creation of two new payment services statuses:
• Account Information Service Provider (AISP) is for new companies and allows them to have information pertaining to one or more accounts at one or more banks.
• Payment Initiation Service Provider (PISP) is for new actors who need to make payments on behalf of the payer. Instead of initiating the process from their bank, these companies can do so through the PISP which in turn transmits the data to the bank.
Another major change in the PSD2 is the introduction of SCA. No longer is inputting a simple password sufficient during the payment process. These operations now are required to use two authentication factors any time a customer wants to make a payment or access an account online or via an app. Furthermore, the definitions of authentication factors were refined. For instance, the written information on a customer’s credit or debit card (name, expiration date and security code) will no longer be accepted as valid authentication of identity.
Finally, as is the case with all rules, there are exceptions in the form of exemptions. These include:
• Unattended parking and transportation terminals;
• Trusted beneficiaries already specified by the customer;
• Recurring transactions that the customer has already permitted;
• Credit transfers to self in which the payer and payee are the same and they use the same service provider;
• Low-value transactions in which the amount of the remote electronic payment does not exceed €30 and the cumulative amount of previous remote electronic payment transactions initiated since the last challenge does not exceed €100 or 5 consecutive individual remote electronic payment transactions;
• Secure corporate payments;
• Qualified transactions were shown to have a fraud rate below set parameters;
• One leg out (OLO) payments in which the issuer or the acquirer is outside the EEA.
A Word About 3D Secure
Each major credit card company has its own online payment authentication solution, and 3D Secure (3DS) is the generic name for all of them. They were implemented to enhance security from fraud and reduce the merchant liability that comes from customer chargebacks.
Although 3D Secure was updated to 3DS 2 to keep pace with remote technological innovations including remote checkout via a payment gateway, the standard has been tweaked again to 3DS 2.2. This version adds support for consumers even when they are offline as well as for FIDO authentication using a security key, facial recognition, fingerprint or voice. In addition, 3DS 2 makes the end-user experience much more seamless by consolidating all of the card payment options into one standard that is overseen by EMVCO, a consortium of all of the major credit card companies. In the past, customers had to contend with branded names like Visa Secure, Mastercard Identity Check and American Express SafeKey, each of which required that the buyer be directed to that company’s site to complete the transaction. Thanks to 3DS 2, the SCA challenge is embedded within the web or mobile checkout flow, no longer requiring a page redirect during checkout.
Now that PSD2 is imminent, 3DS 2.2 is even more important for the following reasons:
• It is the only framework that shifts fraud liability to issuers or cardholders as long as the transaction is properly authenticated.
• It is the only solution that is in compliance with PSD2 SCA requirements.
• It is compatible with the mobile apps of all consumer banks.
• It supports the increasingly popular biometric authentication via fingerprint, facial recognition or other measures.
• It supports valid exemptions.
In sum, 3DS 2 acts as the teeth of the PSD2’s SCA provision, ensuring that customer identity is effectively verified. Particularly in the e-commerce payment gateway milieu, this extra precaution is crucial.
The Facts About Our PSD2 Readiness
Although compliance with PSD2 will not be required until April of 2020, all of Inovio’s systems are fully integrated and prepared for these upgraded regulations. We have taken the time to diligently ready ourselves in order to create a seamless transition experience for our customers in Europe, Brazil and other parts of South America. Armed with full compliance and expertise in these new processes, authentication protocols and their exceptions, we are totally equipped to provide trusted and robust services to customers from all over the world, including U.S. companies selling in the EU and European retailers marketing their products to the United States.
Perhaps, most important, our unmatched skill in this sector enables us to help you make intelligent, customized decisions based on your particular business needs. Our robust understanding of SCA exceptions, including OLO, enables us to guide you in determining whether or not you need to deploy these authentication protocols for PDS2 compliance. That means additional authentication challenges only when they are essential for regulatory compliance, a smoother payment experience for many customers and financial savings for your organization.
Considering the complexity of the PSD2 regulations that will soon be the order of the day for a large number of merchants, doesn’t it make sense to entrust your payments to us, a processor who is making it our mission to demystify and thoroughly comply with all facets of PSD2 months in advance?