PSD2 and SCA: What do they mean for your business?

A jargon-free guide to all things PSD2 – and what your business should do to get ready for the changes that are coming

UPDATE: PSD2 SCA DEADLINE EXTENDED

19th August 2019

The Financial Conduct Authority (FCA) last Tuesday confirmed that the introduction of Strong Customer Authentication (SCA) would be delayed by 18 months.

The decision to eke implementation of SCA out over the next year and a half has been made to give financial institutions more time, and to avoid a payments ‘cliff-edge'. That cliff is a steep one, too – it was thought that around 25 to 30% of ecommerce transactions taking place after the original deadline (14th September) would have failed due to SCA.

That's not to say that, as a merchant, you don't have to think about preparing for SCA for a while. Quite the opposite – get ready for the changes now, and welcome in a new era of safer, smoother transactions. Find out how below.

PSD2. Chances are, as a UK-based retailer, you’ve been hearing a lot about it. And rightly so – it’s already changing the complexion of the payments industry in a big way. But hearing about PSD2 is one thing – understanding exactly what it means for your business is quite another.

That’s where we can help. What you’ll find here is a straightforward, jargon-busting guide to PSD2. We’ll look at what PSD2 is, why it’s happening, and who’s affected. But most importantly, we’ll explore how your business needs to prepare for the sweeping changes it’s set to bring.

PSD2 will present huge opportunities for your business – but it’s up to you to embrace them. Read on, and we’ll tell you how.

How will the PSD2 affect you?

PSD2 stands for the revised Payment Services Directive. It’s European Union legislation that’s designed to improve consumer rights, reduce fraud, and promote more innovative payment methods.

PSD2 came into force on 13th January 2018. It’s designed to build on the original PSD (PSD1), which arrived in 2007.

Despite having been around for about a year and a half now, PSD2 isn’t in full swing yet. That’s right – some of its most disruptive features are still working their way through the ponderous practicalities of EU law, and won’t arrive until September 14th, 2019.

What is the original PSD?

The original Payment Services Directive (PSD1) came into force across Europe on 25th December 2007. PSD1 helped establish a single European market for electronic payments. Cross-border transactions across European countries became more efficient, simple, and secure.

PSD1 also changed people’s relationships with the banks, who had to become more transparent about their fees and services. PSD1 introduced payment service providers (PSPs) – new companies offering alternative, more innovative ways to pay.

The arrival of PSPs meant that banks lost their traditional vice-like grip over financial transactions. And, as September draws closer and the PSD2 begins to flex its muscles, the banks’ oligopoly continues to weaken.

But what will PSD2 actually do? Read on, as we take a look at the big ways it stands to build on its forefather. Alternatively, jump straight to our jargon buster and start getting to the bottom of some of the more baffling terms we’re about to start throwing around.

What will PSD2 do?

PSD2 is complicated legislation, and it’s still unclear exactly how it will all look when it’s finally rolled out later this year. That said, the effects of PSD2 will largely boil down to these three things:

These sweeping new changes won’t just affect customers – they’ll have big implications for banks, payment service providers, and retailers like yourself.

Image: PSD2 – game-changing European payments legislation, not a long-lost relative of R2D2.

1. More secure payments

Perhaps the biggest change PSD2 will make relates to the introduction of enhanced security measures for payments. This new requirement is known as Strong Customer Authentication (SCA) – and it’s worth explaining.

What is Strong Customer Authentication (SCA)?

PSD2 will introduce a new standard of verification for card payments. It’s known as SCA, and it’s going to have a big impact on the way you accept card payments.

As of 14th September 2019, your customers will need to provide two out of the three following forms of ID to make a payment:

Possession: This is something only your customer has – it could be a credit or debit card, or their mobile phone.
Knowledge: This refers to a thing only your customer knows – this could be a PIN number, password, or some form of token.
Inherence: This form of identification is something unique to the individual customer. It could be a fingerprint, biometric facial feature, or even the vein pattern on the palm of their hand. Technology, huh?

These new measures of authentication will apply to all transactions in the European Economic Area (EEA). That includes face-to-face transactions, as well as payments taken online or over the phone.

Update: PSD2 SCA deadline extended by 18 months from original 14th September 2019. See above for more.

SCA exemptions

Because this extra layer of authentication adds time and friction to the checkout process, some transactions are exempt. SCA won’t apply to:

Low value face-to-face contactless payments

Transactions at the point of sale (POS) are exempt from SCA – as long as they’re below €50, and have a maximum cumulative value of five transactions, or €150. This means that every fifth transaction (or every transaction worth more than €50) will need to be challenged under SCA requirements.

Low value online payments

Transactions made online that are less than €30 are SCA exempt, with a maximum cumulative value of five transactions, or €100.

Whitelisted payments

Customers you do regular business with will have the option to ‘whitelist’ you, meaning all ongoing transactions with that customer will be SCA-exempt. The same will also apply to regular recurring payments made to you for the same amount, from the same customer. This applies to anyone paying you monthly subscription fees, for example.

Corporate payments

Certain payments between companies are exempt from SCA, provided they are made on behalf of a business, rather than a consumer.

Despite the range of exemptions, SCA is still going to affect the way you do business – particularly if you rely heavily on ecommerce. Skip down to find out what you can do to prepare.

3D Secure 2.0

So, you ask – what’s the current way of ensuring secure ecommerce transactions? Well, it’s a little piece of software called 3D Secure. It’s how an issuing bank verifies the safety of purchases your customers make with you. At the moment, it’s optional, and mainly only used for higher risk transactions. But as of September, this form of verification will become the new default – with an estimated 95% of transactions requiring it.

Issuing banks and PSPs are also now having to comply with a new-and-improved version of 3D Secure – the aptly-named 3D Secure 2.0. This latest edition of the software will be fully SCA compliant, which takes a great deal of stress away from your side.

Not only that, but using 3D Secure 2.0 to verify your transactions shifts liability to the issuing bank. That means that, as a merchant, you won’t have to worry about losing your hard-earned pennies as a result of dodgy transactions.

Better still, it’s not even your responsibility to make sure your payment systems are 3D Secure 2.0 compliant – that lies with your issuing bank. What it is your responsibility to do, though, is make sure that you’re prepared for it.

Still confused about what the PSD2 and SCA mean for your business? Check out our roundup of October 2019's PayExpo and find out what the industry's experts had to say!

2. More customer rights

PSD2 also stands to bring in more rights for customers. You might remember when surcharging customers for small card transactions became illegal. That was the work of the PSD2, all the way back in January 2018.

And that was just one of the ways that PSD2 has made things better for customers. It also stands to improve consumer rights, with the European Commission itself stating that one of the goals of PSD2 is to:

“Protect consumer rights in the event of unauthorised debits from an account under certain conditions.”

So how does that look, exactly? Let’s take a quick glance.

Better reporting

PSD2 sets out a new framework for how incidents should be reported. That means clearer timeframes for when payment service providers respond to complaints, and for reporting instances of fraud to the correct authorities.

Improving transparency

PSD2 aims to help consumers make better, more informed choices when it comes to paying. At the POS in particular, that means greater transparency around exchange rates and currency conversion. Put simply, it means your customers know exactly how much they’re paying, even if it’s in the currency of another (European) country.

Earmarking of funds

If your business is in the hotel or rental car industry, you’ll be familiar with fund earmarking. It’s basically when merchants ring-fence a certain amount of funds in a customer’s account, to make sure they have enough funds to complete the booking. It also serves as a kind of safeguard, or deposit, for payments that come after the service has been provided.

Under PSD2, you have an obligation to ensure any earmarked funds are released to the customer, as soon as the final amount to be charged is known. It’s another way the new-and-improved legislation is aiming to benefit the customer – and you need to understand how it affects you, too.

Banning surcharging

When it came out in January last year, PSD2 introduced a ban on all surcharges on card payments. If you’re a bricks and mortar merchant dealing mainly in low-volume sales, you’ll remember this well (and it probably hit you pretty hard in the pocket, too). But for your customers, it increased the convenience of paying with card – and broke down another barrier in the shift towards…

3. More open banking

The third aspect of PSD2 is indeed a big one – big enough, in fact, to blow the payments industry wide open. And we mean that in a thoroughly literal sense – because PSD2 has brought open banking to the UK.

What this means is that the UK’s biggest banks now need to share their customers’ information with third party payment providers (TPPs).

Wait, what? And, uh, who?

It’s not as sinister as it sounds. This part of PSD2’s legislation just means that banks have to provide open APIs (Application Programming Interfaces) to share access to their customer’s accounts with third parties.

These third parties are companies that provide the customer with new ways to pay for services, and manage their money. With the customer’s express consent, these providers can make payments on a customer’s behalf, and also make it easier to view and dispense funds.

“Banking is necessary; banks are not.”

(Bill Gates, 1990)

To paraphrase Bill’s comments, the banks’ oligopoly on its customers’ information is vanishing. And into that void of payments and money management will rush third party providers. But what will those providers look like? Let’s explore.

Third party providers: explained

Third party providers (TPPs) that have been created as a result of PSD2 fall into two distinct categories: PISPs and AISPs. Again, though they work with the bank through open APIs, all TPPs need the clear consent of the payment service user (PSU) – that is, the customer – before they can begin working with that customer.

A TPP can be a fintech firm, a bank, or even an online merchant or big retailer. As of December last year, there were 58 AISPs and 22 PISPs registered with the Financial Conduct Authority (FCA) – but expect this number to balloon.

Let’s take a closer look at these two newcomers.

Payment Initiation Service Providers (PISPs)

A PISP is a digital service capable of making credit transfers on behalf of a bank account owner. A PISP creates a kind of software ‘bridge’ between your (the merchant’s) website and the online platform of the payer’s bank. This ‘bridge’ paves the way for quicker, smoother online transactions – meaning happier customers, and a healthier bank account for you.

PISPs currently only relate to ecommerce transactions, with the ultimate goal being to remove the need for credit and debit cards completely. Check out Trustly as a good example of a PISP, or skip down to find out what PISPs mean for merchants.

Account Information Service Providers (AISPs)

Whereas PISPs make payments on behalf of the customer, AISPs simply provide them with information about their accounts. Think of it as more of a ‘look, but don’t touch’ kind of deal. With the holder’s permission, an AISP collects data from all their different accounts, and presents it in an accessible format.

AISPs usually take the form of money management apps, which let customers better plan their budget and get a more holistic view of their financial situation. Think sites like Mint and Money Dashboard.

PISPs enable you to receive direct push payments from your customer’s bank account

What should you do as a merchant?

Don’t forget – the most disruptive elements of the PSD2 come into force on September 14th, 2019. Mark the date in your calendar, and read on to find out what you can (and should) do before that balmy mid-September day rolls around.

Update: PSD2 SCA deadline extended by 18 months from original 14th September 2019. See above for more.

✔ Prepare for SCA

We talked before about Strong Customer Authorisation – a new standard of authentication that your higher value transactions will need to pass. For transactions that aren’t exempt, your customer will need to provide two of the three following forms of authentication: possession, knowledge, and inherence.

It’s not your responsibility as a merchant to ensure that your systems are SCA compliant – that lies with the issuing bank (i.e. your customer’s bank). But you can prepare for the SCA by getting ready for 3D Secure 2.0 – the upcoming standard for card transaction authorisation.

Make sure the current checkout experience on your website is optimised. This means that your online checkout needs to contain the right fields to let you verify a payment under the new regulations. By calibrating the experience for your customer with SCA methods, you’ll be paving the way to be fully PSD2 compliant by September.

✔ Evaluate your current checkout payment process

The biggest PSD2-related worry for you is increased friction at the online checkout stage. And it’s a relevant worry – if you don’t clue yourself up on what the new regulation means for your business, it could have an impact on your sales and conversion rates.

Different payment methods are suitable for different industries and business types. While there won’t be too much upheaval with face-to-face transactions, ecommerce businesses will be affected. If this is you, you’ll need to ensure you’re giving customers as many ways to verify themselves as possible.

But that doesn’t mean you should sacrifice style – you’ll need to also make the flow of authentication in an online payment as smooth and seamless as it can be.

✔ Become a Payment Initiation Service Provider (PISP)

Remember the PISPs we just talked about? New digital services that make payment smoother, and quicker? Well, turns out your business can become one. This would allow you to connect directly to your customer’s account, and thus result in less friction – and less cost – when taking payments online.

Because of the rigorous checks and application process involved, this option is better-suited to larger ecommerce merchants. To apply, you’ll need to go through the FCA.

✔ Encourage customers to whitelist your business

Customers that have ‘whitelisted’ your business are automatically exempt from SCA requirements. And in this new, fertile payments landscape, being on your customers’ whitelist is gold dust.

Not only will you be a business that inspires trust and confidence, but you’ll be able to offer your customers instant verification – even on higher value payments. The moral? If you’ve got frequent customers, make sure they’re putting you on their whitelist.

✔ Consider who you use to take payments

All banks are mandated to have SCA compliance in place by September 14th this year – at the latest. However, there will likely be key differences in how those banks support the merchants that they work with.

Get in touch with your acquiring bank to find out what kind of support they can offer you in the transition to PSD2 and SCA compliance. Ask it about its progress towards the deadline of compliance, and how the changes will impact on your current fraudulent transaction rate. The bottom line? If your current bank or PSP isn’t performing, it might be time to consider ringing the changes.

Expert comment: What should you do as a merchant?

– Ralf Ohlhausen, Executive Acisor at PPRO

While merchants can be reassured that the financial services sector is working to clarify the requirements for the upcoming the Secure Customer Authentication regulation under the PSD2’s Regulatory Technical Standards, which will help mitigate against fraud by enforcing Multi-Factor Authentication (MFA), they cannot afford to wait until after the September deadline to act.

It may be time that UK merchants consider moving away from credit-based payments, and look to more secure alternative payment methods (APMs), such iDEAL in the Netherlands and GiroPay in Germany, which are more secure by default. Such bank to bank push payment method not only help the consumer to finalise transactions in their own secure online banking environment without giving out data to third parties; these APMs also have already build in multi factor authentication as a security measure by default.

Merchants must make an educated decision on the payment mix they implement according to the risk index, with the help of their Payment Service Providers (PSPs), to tackle fraud head-on. While more layers of security may require more methods of authentication and customers to input more information, which may hinder speed and convenience at the checkout, merchants can be safe in the knowledge that high-value transactions are coming from loyal customers, and fraudulent transactions are a thing of the past.”

Jargon buster

There you have it – a whistle-stop tour of PSD2. What it is, when it’s happening, and what you should do to get your business ready for the oncoming changes.

Still got questions? No problem – dive into our list of FAQs below, or read on as we attack those awkward acronyms and probe the pesky payments parlance.

And if there’s anything PSD2-related that this guide didn’t answer, why not get in touch? Flick an email to robert.binns@mvfglobal.com with all your pertinent payments musings, and we’ll be sure to get right back to you. Alternatively, read on as we break down the jargon.

Acquiring bank/acquirer

The acquirer processes payments on behalf of you, the merchant. An acquiring bank provides you with a merchant account that lets you take credit and debit card payments. It gets its name because it ‘acquires’ payment from the consumer.

Application Programming Interfaces (APIs)

Put simply, an API is what lets different online services and applications communicate with each other. In the case of PSD2, it’s what allows banks to share their customers’ account information with third party providers.

European Economic Area (EEA)

Established in 1992, the EEA specifies a geographical area for a single market trading bloc. It enables free movement of goods, services, and labour. Any electronic transfer of funds happening within this zone is subject to the PSD2 legislation.

Financial Conduct Authority (FCA)

The FCA is a financial regulatory body in the UK. It operates separately from the government, to regulate firms that provide financial services to consumers.

Issuing bank/issuer

The issuer refers to the bank that provides payment cards directly to consumers. Put simply, it’s your customer’s bank. It gets its name because it ‘issues’ payment on behalf of the customer.

Payment Service Provider (PSP)

PSPs are companies that offer merchants digital services for taking card payments. They provide the online infrastructure for taking payments, and are mostly pretty easy to get set up and approved for.

These companies usually charge a percentage of each transaction you take for their services. Amazon Pay, Stripe, and Square are three high-profile examples.

Payment Service User (PSU)

We didn’t use this term that much here, but you’ll see it crop up a lot throughout your research. PSU basically just means an individual who wants to buy something. When anyone pays for a service with a card or mobile wallet – whether that be in a shop, online, or over the phone – they become a PSU.

Single Euro Payments Area (SEPA)

SEPA establishes a single set of standards that apply to payments being made within the European Union. The original PSD laid out the legal foundations for the SEPA. Its central goal is to make cross-border payments within the EU as easy as those on a domestic level.

FAQs

PSD2 is a European thing, right? So what’ll happen after Brexit?

Brexit – the elephant in the room of a great many conversations these days. The truth is that we’re not really sure how Brexit will affect things. And that’s largely down to the fact that… no one really knows how Brexit will play out!

What we do know is this: the original PSD provided the framework for SEPA (Single Euro Payments Area). The UK is currently part of that, meaning that banks legally can’t charge any more for international payments within Europe than they could for a transaction within the same country.

However, if the UK decides to leave the single market as part of Brexit, this could change. The government has already said that a no-deal Brexit could mean the cost of card payments could increase. In addition, cross-border payments involving UK parties would no longer be covered by the PSD2 surcharging ban.

However, it’s entirely possible the UK will leave with a deal that preserves the core values of PSD2 – or not leave at all. Also, elements of the PSD2 – like the prohibition of domestic card payment surcharges – have now been written into UK law. Which means they’ll stick around – even after (gulp!) Brexit.

Watch this space!

Why is the original PSD being updated?

The first PSD was devised before the first iPhone had even come out, so it’s easy to see why a refresh was needed!

The payment industry has seen a boom in the last decade. There’s been a plethora of ambitious startups offering newer, more innovative ways for your customers to part with their cash.

The aim of the update to this legislation is to regulate these new third party providers’ entrance into the payments space. PSD2’s aim is to encourage that innovation, improving choice and security for the customer. More competition will result in better, cheaper services for the consumer, and more security for you.

Q & A

We sat down with Jonathan Jensen, Director of Identity Verification at GBG, to chat about the key takeaways for merchants when it comes to PSD2, and being SCA compliant before the deadline.

What are the direct consequences of both PSD2 and SCA for merchants?

The key impact of PSD2 for merchants is having to comply with SCA. This means merchants need to implement a second factor for authorising online consumer transactions over 30€. Typically this will be achieved by using 3D Secure 2.0. Online and mobile payments that are completed using Consumer Device Cardholder Verification Method (such as Apple Pay) are already compliant. That’s because they use the consumer’s mobile device (via Touch ID or Face ID) to authorise the transaction (or Touch ID on the latest MacBook Pros and MacBook Airs).
The biggest risk for merchants is that, despite getting everything in place and being fully compliant, the plethora of new authorisation methods used by card issuers will confuse consumers, and potentially lead to checkout abandonment. Card issuers may use SMS, email, or CVV (if it’s not printed on the card) as options.

What can merchants do to prepare – and does the responsibility here lie with the merchants or with the banks?

Merchants need to work with their merchant acquirer to ensure they implement 3D Secure 2.0 by the due date. It’s vital that this implementation can also handle exemptions (such as low value transactions) correctly. As the FCA is allowing extensions beyond the 14th of September, merchants and acquirers need to make the most of this extra time to put an implementation plan into place.

What can merchants do to reduce friction at the checkout?

Merchants can offer consumers the option to pay with Apple Pay, which means the consumer won’t have to enter any additional information at the checkout – or even have an account with the merchant.

What would be your top tip for merchants in the UK with regards to PSD2 and SCA?

Offer consumers frictionless checkout with Apple Pay, as well as card payments.
A second tip (when accepting online payments) would be to provide a clear notification to the consumer just before they hit the final checkout button, highlighting that they may receive an authorisation message.

Will PSD2 apply mainly/solely to ecommerce merchants, or will bricks and mortar businesses be affected too?

High street retailers are already compliant with the SCA requirements of PSD2 (or covered by exemptions), as they use chip and PIN and contactless technology.

Jonathan Jensen is Director for Identity Verification at GBG, the global specialist in identity data intelligence.

During his eighteen years working in identity verification and payments Jonathan launched new products in identity verification, digital money, prepay, telco billing and consumer payment services; in both startup and corporate environments. His most recent expertise is in delivering new identity verification products, including biometric and mobile phone based identity verification.