Education Center

PSD2 Compliance

PSD2 Compliance

This article will cover the basics of PSD2 – what it is, what it aims to do, what it regulates, and the requirements it sets forth. You’ll also learn who PSD2 impacts and how organizations can be in compliance.

What is PSD2?

PSD2 (Payment Service Providers Directive) is a European regulation that was established to make electronic payments easy and secure.

Administered by the European Commission, PSD2 aims to drive financial institutions to innovate and modernize the payments market across the European finance industry while improving the overall banking experience and security for consumers.

Why was PSD2 Introduced?

Back in 2007, when the open banking concept gained recognition in the financial market, the European Union (EU) introduced the PSD regulation to create a single payment market for the entire European Union (EU). Once PSD was introduced, many new service providers emerged into the field, engaging with small businesses and consumers to capitalize on the opportunity.

As more banks embraced open banking and the number of payment service providers increased, the EU revised the PSD regulation with a few amendments in 2013, resulting in the current PSD2. The revised directive sought to bridge a connection between existing banks, retailers, and the new fintech entrants to, in turn:

  • Promote innovation and competition in the payments market
  • Make online payments easier and safer for consumers
  • Protect consumer information against fraud

Although PSD2 was created in 2013, it did not fully go into effect immediately. Due to debates and long delays in publishing technical standards, PSD2 was gradually implemented starting in January 2018. However, PSD2 did not officially go into full effect to govern e-commerce in Europe until December 2020.

What the PSD2 Entails?

At its core, PSD2 focuses on two key areas:

  • Innovation and market competition
  • Transaction security and customer data protection

 

PSD2 Focuses on two key areas

Innovation and Market Competition

To transform the payments market, PSD2 introduced two new regulated services: Payment Initiation Services (PIS) and Account Information Services (AIS). Together, these services help create an easy and secure means for making online payments.

1. Payment Initiation Services (PIS)

Payment Initiation Services (PIS) allow consumers to authorize a third-party payment provider (TPP) to make payments online by filling in the required account information on behalf of the consumer. This provides consumers the flexibility of making online payments without having to visit a specific bank application. It also presents consumers with multiple payment options.

2. Account Information Services (AIS)

Account Information Services (AIS) involve aggregating and storing account information from customers’ multiple bank accounts at a central location. Account Information Service Providers (AISPs) are TPPs that collect customer bank data by accessing their accounts. Through AISPs, consumers can get a holistic view of their account information across different accounts in a single application, which helps them gain better control over their finances. Customers can also choose to make their payments either directly from their bank accounts or from other secure sources. This helps avoid paying the surcharges associated with card-based transactions.

To facilitate the above two services, the PSD2 regulation demands banks to open their payment services to third-party payment providers via Application Programming Interfaces (APIs) and provide account information. The APIs are open to any TPP recognized by PSD2 based on specific security requirements. PSD2 recognizes and regulates these TPPs to access banking data and initiate payment services.

Transaction Security and Customer Data Protection

Another major objective of PSD2 is improving the security of online payments and protecting consumer information from fraud. To achieve this goal, the European Banking Authority (EBA) developed the Regulatory Technical Standards (RTS) that specify requirements around two key areas for payment service providers and banks to become PSD2 compliant:

  1. Strong Customer Authentication (SCA) for electronic payment transactions
  2. Secure Open Standards of Communication (CSC) by the payment service providers

1. Strong Customer Authentication (SCA) for Electronic Payment Transactions

Strong Customer Authentication (SCA) is one of the notable measures of PSD2. SCA is designed to serve as a reliable and effective authentication tool to secure online payments and protect consumers’ financial data from theft. According to SCA, all payment processors and digital banking providers must use multi-factor authentication (MFA), essentially two-factor authentication (2FA), for initiating payments and accessing accounts. As a result of SCA, customers must verify their identities and provide consent using a combination of authentication mechanisms like PINs, biometrics, and text messages before making payments. Implementing MFA provides an additional layer of security for financial transactions and helps prevent payment fraud.

PSD2 – Strong Customer Authentication (SCA) Requirements

To comply with Strong Customer Authentication (SCA), payment service providers must authenticate consumers based on at least two independent pieces of information. These pieces of information fall into three categories:

  • Knowledge – something customers know, such as passwords.
  • Possession – something the customers own, such as mobile phones.
  • Inherence – something the customers are, such as their fingerprint or voice patterns.

 

SCA Requirements

SCA applies to most online transactions. However, there are exemptions to SCA, which depend on the level of risk involved in the payment service provided. The exemptions were added to make low-risk transactions fast and frictionless for a better customer experience.

Some of the common SCA exemptions include:

  • Low-risk transactions where the provider’s or bank’s overall fraud rates for card payments are below predetermined thresholds.
  • Payments below 30 Euros
  • Fixed-amount subscriptions, where SCA may be applied only on the first payment.
  • Merchant-initiated transactions
  • Trusted beneficiaries
  • Phone sales, where the card details are acquired over the phone
  • Corporate payments

Dynamic Linking in SCA

Another pivotal element of SCA is dynamic linking, which involves using pre-generated authentication tokens for specific payment amounts and payees. These tokens cannot be modified or reused, otherwise the transaction gets canceled.

2. Secure Open Standards of Communication (CSC)

Common and Secure Communication standards, also referred to as CSC, are a set of standards specified by RTS to ensure that the communication between banks and regulated third-party providers (TPPs) is confidential and secured. To meet this goal, banks must develop a secure communication channel that allows TPPs to access consumer account information and initiate payments securely. Additionally, these communication channels enable banks and TPPs to verify each others’ identities when accessing information. With the implementation of CSC standards, TPPs can no longer access customer data through “screen scraping,” an act of copying information displayed on a screen.

PSD2 – Secure Open Standards of Communication (CSC) Requirements

Financial institutions typically use digital certificates for online authentication and secure communication. Considering the sensitivity of banking transactions, Common and Secure Communication (CSC) standards mandate using only eIDAS (electronic identification, authentication, and trust services) certificates issued by a Qualified Trust Service Provider (QTSP) for authenticity and data integrity.

CSC recommends using both of the following certificates in parallel for secure communication:

2A. Qualified Certificate for Website Authentication (QWAC)

A Qualified Website Authentication Certificate (QWAC) is a type of digital certificate used with Transport Layer Security (TLS) protocol issued by a Qualified Trust Service Provider (QTSP) to meet the eIDAS, or the Electronic Identification and Trust Services regulation. Simply put, QWACs are used for website authentication and to protect data in peer-to-peer communication. In order to ensure the highest level of trust and assurance, QWACs are issued after extensive and stringent identity verification checks.

QWACs are used by payment service providers and banks to:

  • Verify their identities to customers and other businesses interacting with their websites
  • Encrypt data to ensure confidentiality and integrity during communication

2B. Qualified Certificate for Electronic Seals (QSealC)

A Qualified Certificate for Electronic Seals (QSealC) is a type of digital certificate used to ensure the authenticity and integrity of sensitive electronic documents and data. A QSealC is used to apply an e-seal (essentially a digital signature) using standards such as ETSI’s PAdES, CAdES or XAdES. The e-seal confirms the integrity of a document, by verifying the source and protecting its contents from tampering.

QSealCs are used by payment service providers and banks to:

  • Ensure the data actually originated from the entity associated with the certificate
  • Verify that the data has not been tampered with, ensuring data integrity
  • Provide legal evidence for communications between banks and PSPs to support non-repudiation

How Does PSD2 Differ from the Original PSD?

Following are a few significant changes that PSD2 brought to the earlier version:

  • Increased security for online transactions: Implementing MFA helps mitigate the risk of online payment fraud and better protect consumer information.
  • Access to accounts (XS2A): Regulates access to consumer accounts based on consent. Banks are required to share consumer account information and aggregate data with TPPs only after getting the customer’s consent. As mentioned earlier, banks are also expected to set up the necessary infrastructure to provide TPPs secure access to account information.
  • Preventing payment surcharges: PSD2 forbids surcharges on card payments in online transactions. Surcharges were previously applied for online payments and specific sectors like the travel and hospitality industries.
  • International payments: This refers to transactions where a payment service provider is outside the EU. These transactions were out of scope under the original PSD regulation. PSD2 provides more clarity on these transactions by providing information such as execution time and fees.

Where is PSD2 Applicable, and Who Should Comply?

PSD2 applies to all consumers within the EU member nations. While the regulation is primarily aimed at EU banks and financial service providers, companies outside the EU must comply with PSD2 when transacting in the EU. For example, US-based companies must ensure that their EU business units are PSD2 compliant. PSD2 also applies to the UK, regardless of its affiliation with the EU.

Benefits of PSD2

Benefits of PSD2 for Consumers Benefits of PSD2 for Payment Service Providers
Improved payment experience Better customer engagement
Higher transaction security Low risk of payment fraud
Confidentiality of account information Access to rich consumer data for risk assessment and creating new revenue streams
Wide range of payment options Fair market competition

End Note

The objective of PSD2 was to develop an integrated standards-based payments market, provide a level playing field for new players, and improve the customer banking experience. It plays a significant role in the banking revolution the EU is experiencing. By complying with PSD2, financial institutions can benefit from attractive growth opportunities that online banking brings, while customers can enjoy a convenient and secure banking experience.

Let’s get you started on your certificate automation journey