Digital commerce is one of the largest growing markets in the world, with an expected total transaction value of US$6.03tn in 2023, as statistics claim. These statistics illustrate the reality of how money flows across the globe today. As a result, regional regulatory authorities have enacted regulations and standards to establish guardrails for customers’ financial data. These legal provisions and frameworks further hold financial services, payment services, and banking institutions accountable for customer data protection and privacy.
The Revised Payment Services Directive (PSD2) is one such regulation that aims to make electronic payments safer while contributing to the integrated electronic payment market. One key aspect that makes PSD2 a fairly distinct yet much-needed regulatory framework in the current era is the regulation of open banking practices. After all, third-party access to sensitive bank account credentials is a serious concern among many consumers, although it is necessary for innovation.
Read on to explore more about PSD2 compliance, the regions and businesses it impacts, its primary regulatory requirements, and what businesses must do to ensure compliance.
What is the Revised Payment Services Directive (PSD2)?
PSD2 stands for the second or revised Payment Services Directive regulation. It is the amended version of the initial PSD regulation, which took effect in 2007, seeking to unify the European Union (EU) payment market and to regulate payment services and payment service providers. Subsequently, the retail payments market has witnessed notable technological innovation, marked by a swift increase in electronic and mobile payments, along with the emergence of new payment services in the marketplace. These developments pose challenges to the existing framework. The PSD underwent revisions in 2009, focusing on charges related to cross-border and national payments in euros. Furthermore, in 2012, additional updates were made to regulations on cross-border payments and multilateral interchange fees.
The proposed amendments (PSD2) were introduced in 2013 by the European Commission, seeking to enhance the initial objectives while proposing improvements for customer protection, increased business competition, promoting a level-playing field, and reinforcing payment transaction security.
After multiple extensions to the enforcement deadline, PSD2 became applicable in January 2018. At its core, the regulation introduces some important business-focused regulatory standards: Strong Customer Authentication (SCA), open APIs for third-party access, increased transparency, quick resolution for customer complaints, and removal of credit card surcharges.
PSD2 Timeline
Here’s a quick look at the complete PSD2 timeline from its inception to its enforcement:
2007 - The first Payment Services Directive went into effect. The directive establishes rules for all types of electronic and non-cash payments across the European Economic Area.
2013 - A proposal for the second Payment Services Directive (PSD2) was proposed by the European Commission (EC) to fulfill the demand for new types of payment services or modes.
2015 - The EU adopted PSD2 to improve the existing rules and take new digital payment services into account.
2018 - PSD2 became applicable. It includes provisions to facilitate and secure internet payment services, protect consumers from fraud and payment issues, encourage innovation in mobile and internet payments, reinforce consumer rights, and enhance the European Banking Authority's (EBA) coordinating role in supervisory coordination and technical standard drafting.
2019 - Strong Customer Authentication (SCA) requirements of PSD2 came into force.
Which Regions/Entities Require PSD2 Compliance?
PSD2 applies directly to payment services providers, including banking institutions and payment processors operating in the European Economic Area (EEA). However, the regulation may have a far-reaching application, including organizations outside the EU. For instance, multi-national organizations that have operations in the EU are impacted by PSD2. Similarly, businesses that have transactions with EU citizens or those that collect and process the payment transactions of EU citizens from outside the EU.
It is also critical to note that businesses with regional units in the EU member nations must ensure their regional units are PSD2 compliant. In case of non-compliance, organizations may face continuous disruption with payment transactions or authorizations. This raises legal concerns and may cause significant dissatisfaction among customers.
Why Businesses Must Comply With PSD2 Regulations?
As mentioned above, businesses are obliged to comply with the regulation to ensure compliance and prevent any legal consequences. PSD2 compliance further promotes trust amongst consumers as it demonstrates an organization's practices and policies regarding customers’ data protection and privacy. Apart from compliance, there are a number of other benefits that businesses reap with PSD2 compliance.
For instance, PSD2 provides businesses with a robust mechanism to enable customer data protection. Strong Customer Authentication (SCA) is an optimal mechanism for protection against fraud and unauthorized access to sensitive assets, such as bank accounts. By demonstrating compliance, businesses can reassure their customers that their transactions and financial data are fully protected
Similarly, with provisions concerning open APIs, PSD2 opens doors to more business opportunities. These APIs allow Account Information Service Providers (AISPs) to access customers’ data once their consent is obtained. With access to customer data, businesses can widen their intelligence around customer insights to improve product experiences, decision-making, and service offerings.
All in all, compliance with the Payment Services Directive isn’t just a legal requirement. In fact, it is a strategic move to foster innovation and open doors to increased business opportunities. It can help businesses rise and stay at the top of the competitive digital payment market.
What Are the Primary PSD2 Compliance Requirements?
Let’s look at the topmost important requirements mentioned in the Directive.
Consent
Provisions related to consent are provided under Article 64 of the Directive. The Directive gives more control to consumers when it comes to payment authorizations. Payment transactions are authorized only when the payer (payment service users or consumers) explicitly consents to the transaction. The regulation leaves the decision regarding the consent mode up to the payer and the payment service provider. However, the payment transaction may be authorized by the payer either before or after the transaction. In the absence of valid consent, a payment transaction will be considered unauthorized. Consent may also be withdrawn at any given time by the payer; however, once a payment order has been received by the payer's payment service provider, the payment service user cannot revoke it. Withdrawal of consent for a series of payment transactions renders any future transactions unauthorized.
Payment Initiation Services
Payment initiation services (PIS) enable users to initiate payment transactions directly from their bank accounts, bypassing the need for credit or debit cards. Through a secure channel provided by third-party payment service providers (PSPs), consumers authorize payments to merchants or other service providers.
Under Article 66 of the Directive, these service providers shall:
- Refrain from holding payer’s funds;
- Ensure the safety of the personalized security credentials of payment services users;
- Provide payment service user’s information obtained during payment initiation services only to the payee with explicit consent of the user;
- For each initiated payment, the payment initiation service provider must securely identify itself to the payer's account servicing payment service provider and engage in secure communication with the payer and the payee;
- Not store payment service user’s sensitive payment data;
- Request only the minimum necessary information from the user;
- Not use, access, or store any data for purposes other than providing the payment initiation service as explicitly requested by the payer; Not modify the amount, the payee or any other feature of the transaction.
An account information service is a type of regulated service that provides consolidated information on payment accounts held by a payment service user with various payment service providers. It enables users and businesses to get a global view of their data by aggregating it in a single place. Article 67 of the Directive gives clear guidelines with respect to access rules. The Account Information Service Providers shall:
- Provide services based on the explicit consent of the payment service user;
- Ensure the safety of the personalized security credentials of payment services users;
- For every communication session, the payment initiation service provider must securely identify itself to the account servicing payment service provider(s) of the payment service user and establish secure communication with both the account servicing payment service provider(s) and the payment service user;
- Access only the information from associated payment transactions and designated payment accounts;
- Not request sensitive data related to the payment accounts;
- refrain from using, accessing, or storing any data for purposes other than those explicitly required for performing the requested account information service by the payment service user.
Security Measures
To seek authorization as a payment institution, an application must be submitted to the competent authorities of the home Member State. The application should include a security policy document comprising a thorough risk assessment related to payment services and a description of security controls and mitigation measures to safeguard payment service users from identified risks, such as fraud and illegal use of sensitive data. The document must outline the applicant's assurance of maintaining a high level of technical security and data protection, encompassing software and IT systems used by the applicant or any outsourced entities handling its operations.
Incident and Breach Reporting
In the event of a significant operational or security incident, payment service providers must, without undue delay, notify the competent authority in their home Member State. If the incident affects the financial interests of payment service users, the provider must, without undue delay, also inform users of the incident and suggest measures to mitigate its adverse effects. Upon receiving this notification, the competent authority of the home Member State must expeditiously share relevant details of the incident with the European Banking Authority (EBA) and the European Central Bank (ECB). Additionally, after evaluating the incident's relevance, the competent authority notifies other relevant authorities in that Member State without undue delay.
Record Keeping
According to Article 21 of PSD2, Member States shall require payment institutions to maintain all relevant records for a minimum period of five years.
Strong Customer Authentication (SCA)
The Directive sets out strict provisions for streamlining digital payments and protecting payers' financial information. The Strong Customer Authentication (SCA) provision is laid out in Article 97 of the Directive. Regarding the initiation of electronic payment transactions, member states are required to ensure that, for electronic remote payment transactions, payment service providers implement robust customer authentication. This authentication process should include elements that dynamically connect the transaction to a specific amount and a designated payee. The provision goes beyond the traditional credit card validation (CCV) authentication, requiring a stronger authentication mechanism. Here, multi-factor authentication comes into play.
Multi factor Authentication (MFA) provides an added layer of security, further ensuring that the person trying to access the account or making the transaction is indeed the rightful owner. The Directive defines SCA as authentication that is based on two or more components that can be used for login. These components are designed to operate independently, ensuring that a breach in one component does not undermine the reliability of the others. Moreover, the design is specifically structured to safeguard the confidentiality of the authentication data. These components include
- Knowledge - It includes things only the user knows like usernames, passwords, etc.
- Possession - It includes things only the user possesses, such as a card or a code generator.
- Inherence - Something the user is, it may include biometric authentication data, such as fingerprints.
Member States must guarantee that a payment service provider implements robust customer authentication when the payer:
(a) Accesses its payment account online;
(b) Initiates an electronic payment transaction;
(c) Performs any action through a remote channel that may pose a risk of payment fraud or other abuses.The authentication is generally done through encrypted APIs and channels to enhance the security of payment transactions.
What are the PSD2 Penalties Against Non-Compliance?
PSD2 provides a flexible provision when it comes to penalties for non-compliance. Article 103 of the Directive allows Member States to define their respective rules for penalties in case of violation of the national law transposing the directive and shall take necessary measures for their implementation. These penalties shall be effective and proportionate to the violation. Moreover, any violation or infringement must also be publicly disclosed unless the disclosure would cause a disruption in the financial market or disproportionate damages to the parties involved.
Automate PSD2 Compliance with Securiti PrivacyOps
PSD2 fosters open banking, requiring banking institutions to link their services with third-party providers. While open banking may promote enhanced customer experience and seamless payment transactions, it also risks customers’ financial sensitive data.
PrivacyOps, an integration of Securiti’s Data Command Center, enables banks and financial institutions to protect their customers’ sensitive data while meeting compliance in a unified fashion. The solution can help get a unified view of all your sensitive data across all clouds, enabling you to classify data, link financial data to consumers, identify risks, and implement robust security, governance, and compliance controls.
Request a demo to see Securiti PrivacyOps in action.
