Enacted by the European Union (EU) in 2007, the original Payment Service Providers Directive (PSD) was designed to help develop a single payment market for the entire EU in response to the proliferation of online banking. It connected a new class of fintech organizations with existing banks and retailers in an effort to create efficiency and innovation within an industry that had become stagnant. The European Commission added an amendment to the legislation in 2013, creating PSD2.
What is PSD2?
PSD2 is a regulatory framework that ensures payments across the EU are secure, easy and efficient. The changes regulate entities that access or aggregate account information for electronic payments. This ultimately drives financial institutions to improve the overall electronic banking user experience through technological adoption and infrastructure revitalization.
The revised regulation introduces the concept of open banking to Europe, by requiring banks to utilize Application Programming Interfaces (APIs). The APIs are open to any entity PSD2 recognizes as a Third-Party Provider (TPP) that follows specific security requirements, such as multi-factor authentication (MFA).
What is the Purpose of PSD2?
PSD2 focuses on enhancing consumer protection and experience through modernization of the payments market and competition within the European payments industry.
At a high level, it has three main goals: improve consumer rights, strengthen eCommerce security, and manage third-party access of consumer financial accounts.
Consumer rights are further protected by the PSD2 as it:
Requires greater levels of clarity and openness within the fine print of ecommerce application licensing agreements.
Forces organizations to accept and resolve complaints in a timely fashion through specified methods.
Ensures card issuers make all banking funds accessible when a transaction is finalized.
Prohibits many surcharges.
PSD2 requires MFA through specific identification requirements. This is accomplished primarily through APIs with identity authenticated via PSD2 compliance certificates. These SSL/TLS certificates encrypt sensitive data and authenticate banking entities and third-party payment service providers (PSPs) for trusted commerce transactions on websites. This approach to enhanced transaction security relies on a process called Strong Customer Authentication (SCA), a new requirement that introduces specific technical standards such as the PSD2-compliant certificates.
PSD2 requires financial institutions to allow specific TPPs third-party access to consumer bank account data, aggregate data and payment data as prompted by the consumer. This helps larger organizations and merchants retrieve banking industry data directly from the source when a payment is made, removing the middleman in payments. Many online retailers, such as Amazon, benefit from this process as they can obtain additional verification of their customer's financial identity and instant resolution of debits.
What are PSD2 Requirements?
According to the PSD2 SCA, consumers must use two of three types of authentication methods, essentially two-factor authentication (2FA), on all payments. The methods are organized into knowledge, inherence and possession categories — all of which have to be mutually exclusive and unable to compromise each other:
Knowledge is something the consumer already knows, such as a password.
Inherence is something that is a part of the user, such as their fingerprint.
Possession is something the user has or can send such as a code generating application.
Financial institutions including banks and Payment Service Providers (PSPs) use digital certificates to verify the roles for which they are licensed, to encrypt communications and in some cases to provide tamper proof seals on data or transactions.
Due to the sensitivity of financial services transactions, the PSD2 Regulatory Technical Standards (RTS) specify that only eIDAS (electronic identification, authentication and trust services) certificates issued by a Qualified Trust Service Provider (QTSP) may be used for the identification of PSPs.
PSD2 specifies two types of digital certificates for secure communications:
Qualified Website Authentication Certificate (QWAC) used with SSL/TLS protocol such as is defined in IETF RFC 5246 or IETF RFC 8446 to protect data in peer-to-peer communications and to identify who controls the end points.
Qualified Certificate for Electronic Seals (QSealC) create e-seals used to protect data or documents using standards such as ETSI’s PAdES, CAdES or XAdES, and assert their origin from a legal entity.
PSD2 certificates can only be issued by organizations such as Sectigo to legal persons that have a PSD2 authorization number as issued by a National Competent Authority (NCA).
Are There Any PSD2 Exemptions?
PSD2 contains several exemptions to its requirements. Many of these exemptions are concerned with payment amount. Transactions under 30 Euros or recurring payments can be exempted. Larger value transactions may also be exempted if the bank is able to prove through risk analysis that the transaction is below a certain risk level, such as:
100 euros for fraud rates below 0.13%.
250 euros for fraud rates below 0.06%.
500 euros for fraud rates below 0.01%.
Who Must Comply with PSD2?
Although this revised regulatory framework was created in 2013 as an amendment to the 2007 legislation, it did not fully go into effect until September 2019.
The directive was aimed at all financial service providers, banks and TPPs within the EU. TPPs can be entities like app developers, fintech programmers or retail merchants.
Although the United Kingdom (UK) is no longer part of the European Union, the requirements still apply to applicable entities within the country. However, the UK did not sign onto every provision and did not put out legislation complying with the PSD2 requirements on pricing transparency for foreign currency transactions.
Fortunately, there is a degree of consumer choice within the legislation as well, since consumers will be able to whitelist specific merchants they trust.
What Does PSD2 Mean for Banks?
Much of the regulatory impact of PSD2 is on banks. There are a few major changes from PSD1 in this revision, requiring banks to do the following:
Increase their security measures with MFA to be consistent with the risk of the transaction.
Share account information and aggregate data with TPPs while setting up all of the internal infrastructure to properly interact and securely transfer the information.
Introduce dispute resolution procedures that comply with the timeframes and reporting requirements of the regulation.
Although this regulation introduces significant requirements for banks, it also promotes a level of innovation that can be advantageous and eventually filter outside of the EU.
Where is PSD2 Applicable?
PSD2 is applicable everywhere within the EU. The requirements within the legislation only apply in areas where both the card issuer and the bank are specifically within the European Economic Area (EEA). However, in reality, many European financial organizations may follow the rules regardless of the location of the merchant or customer. Essentially, the SCA mandate applies to all merchants doing business in the EEA.
How does PSD2 Affect the U.S.?
PSD2 applies to EEA organizations. However, many U.S. organizations could see an impact of the regulation including the following:
Any U.S. business with locations within the EU.
Any U.S. business that has transactions with EU citizens.
Any U.S. business that does significant business with EU organizations.
Although the provisions do not directly impact U.S. organizations, compliance will often still be required for large, multinational organizations or those that meet one of the criteria above.
Additionally, any U.S. businesses with entities in the EU will need to ensure that their European entities are PSD2-compliant and SCA-ready. Otherwise, they run the risk of declining authorization rates and even declined payments, which can cause major customer dissatisfaction and business disruption.