What is the PSD2 regulation?
The PSD2 (Payment Service Directive) is the European entity in charge of regulating electronic payments within the European Economic Area (EU).
It is an update of the previous PDS regulation (for this reason a final 2 has been added, marking the second version). In 2007 the PSD was sufficient to regulate online payments and secure purchases, but given the constant and unstoppable evolution of technology linked to payments, the directive saw the need to update the regulation with the so-called PSD2 because the previous one was already outdated. It was in 2021 when the PSD2 regulation was implemented, which is already able to regulate technological innovations in payments, as well as the rise of fintech. From January 1, 2021, compliance becomes mandatory for online banking services, especially for credit card payments and mobile payments.
Broadly speaking, the PSD2 regulation tries to protect personal and banking data from the possible frauds that can occur on the network. The way to do this is through two-factor authentication.
What is the objective of PSD2?
The new online payment methods have forced the directive to update its control system to adapt to these changes. The main objective of the regulation is to ensure the protection of users' data when making online purchases, as well as to increase security against possible online fraud.
With its implementation, a protocol for sending data to verify the identity of each customer is initiated, which reinforces security. It also seeks to make online payments simpler, reducing the number of intermediaries involved in making an online purchase.
The PSD2 European regulation also aims to open up access to customer accounts to third party companies (always with the customer's authorization) so that they can intervene in online collection processes. This is a turning point for so-called Open Banking, which with measures such as these is finding a more accessible and conciliatory operating environment.
Advantages of PSD2
In addition to being mandatory, complying with PSD2 payment regulations offers a number of advantages that benefit both users and companies:
- Allows third parties to perform transactions on users' accounts, always with their authorization.
- The security of each online purchase is reinforced with at least two authentication methods.
- The market is opened up to Open Banking, facilitating transactions between other entities and European countries.
- Liability in case of fraud is reduced from 150 to 50 euros.
- It offers better ease when making an online purchase.
- There is greater control because transactions are registered with the European Banking Authority (EBA).
There are some exceptions where PSD2 does not need to be applied. Some of these cases are low-value transactions, recurring payments of the same amount or low-risk operations.
Who does the PSD2 regulation affect?
PSD2 affects both parties involved in the online purchasing process. The users on whom the regulation acts and the companies that are responsible for complying with the regulation. However, although it has been mentioned that compliance is mandatory, there are some exceptions where PSD2 does not need to be applied. Some of these cases are low-value transactions (less than 30 or 50 euros), recurring payments of the same amount or low-risk operations.
Online ecommerce payments
Companies that sell online must comply with this regulation, ensuring at all times the secure processing of customer data, but also their own security. With two-step authentication, companies ensure that their customers are who they say they are, thus avoiding future problems and online fraud. Many companies (especially small ones) are not aware of the PSD2 regulations, but that does not exempt them from compliance. To be aware of all the updates and respect all the security requirements that are demanded at the European level, it is essential to have payment platforms that are responsible for facilitating just that.
Credit card payments in subscription-based companies
Regarding recurring payments, admittedly there is an exception to compliance. For this reason, businesses that receive online credit card payments for recurring services are not fully obliged to do so. There are a number of conditions so that companies that offer subscription-based services in exchange for a fixed fee only have to authenticate the customer's first payment. In other words, if a company has monthly or annual subscriptions that are charged on a recurring basis, in the same period of time, the same payment method and are issued to the same beneficiary, then it will only be necessary to request authentication on the first payment, while the others will be made automatically once the customer has authorized it.
PSD2 regulations for buyers
For their part, buyers feel that by asking them to verify their data to make an online payment, they know that security is a priority for the company. Often, mistrust is a barrier to making online credit card payments, but with this security system, maximum peace of mind is always guaranteed for users. PSD2's objective is met thanks to the two-factor authentication system.
How does it work? Authentication factors
The main novelty of the PSD2 regulation is that it allows third parties access to customers' personal and banking data, thus opening up the payment system. Users continue to have maximum security, but the payment ecosystem has undergone a significant transformation. To achieve this, the following elements are required for every online transaction:
- Something owned. A physical object that the user has and uses to make the purchase, such as a card or cell phone.
- Something known. A piece of information known only to the user, such as a code, password, PIN, etc.
- Something that is. An inherent part of the user's physical identity, such as biometric data (fingerprint, face, eyes, etc., which are detected with facial or eye recognition systems).
Under current regulations, it is essential to comply with two of the three authentication factors. The most common are the first two.
How to comply with PSD2 regulations?
Depending on the type of company, business model, technology used, etc., it will have to comply with the regulation in one way or another, although there are specific cases in which it is not necessary to comply with double authentication. But, in any case, any company that makes online payments does not need to make any changes, since the payment providers it uses have already implemented the necessary systems to comply with PSD2 regulations.