The EU wants to make payment processes for online shopping and transfers in online banking easier, cheaper and, above all, more secure. The directive PSD 2 (Payment Service Directive 2) and the associated "strong customer authentication" (Strong Customer Authentication/SCA) should implement this from September 14, 2019.
What is PSD 2 or Payment Service Directive 2?
With the Payment Service Provider Directive PSD2The EU Commission launched a new directive, the main features of which have been in force since January 2018. From September 14, it should apply in full and without exception to online shops and banks or payment service providers.
While PSD 1 of 2007 formed the legal basis for the SEPA model, among other things, PSD 2 is intended to regulate active online payment methods and transfers. Security and the avoidance of fraud and data misuse are the top priorities here. For merchants, Account Information Sharing with Third Parties and Strong Customer Authentication are now especially important. But more on that later.
Why the PSD 2?
Digitization plays an important role for retailers and customers today. Even if a customer can transfer the invoice amount to their local bank branch after making an online purchase, more and more consumers are turning to digital payment options. But the digital economy in Europe has brought more and more services and forms onto the scene that are no longer covered by PSD 1. Rising cybercrime and the growing number of online shops simply require a guideline that ensures more security for both retailers and customers. This not only affects payments within the EU, but also transfers to non-EU countries and in other currencies.
In addition to the safety aspect, the directive is also intended to promote innovation and competition. The most advanced payment service provider will win, which can only accelerate new developments. ## How the Payment Services Directive 2 works
1.) X2SA: The interface to the customer account
X2SA is the access-to-account interface for the retailer to the customer. With PSD 2, the online shop receives confidential permission to access the online banking of its customers or to access the decisive account information and to initiate the payment. A shop that is certified as a trustworthy dealer in online banking only needs this declaration of consent once and only up to a certain financial limit. The shop does not receive any access data for the customer's online banking, but can only initiate the payment on behalf of the customer directly at the bank.
2.) SCA: Strong customer authentication
Strong Customer Authentication (SCA) comes into play when a customer wants to make an online payment or transfer. Verification consists of at least two aspects of "knowledge", "possession" and "inherence". This is how it forms the ever-stronger two-factor authentication (2FA). For example, the combination of PIN (knowledge) and fingerprint is particularly popular.
A remote payment process, for example a transfer in online banking or payment by credit card on the Internet, requires strong customer authentication from September 14th. Previous authentication methods must also be expanded with a so-called dynamic link in relation to recipient and amount and other security features.
In the past, sending a TAN to a previously verified mobile phone number and entering it for verification was sufficient, but the TAN must also be linked to the payment amount and the payee in a way that is visible to the recipient. Manipulation of this payment data would then invalidate the transmitted TAN. Previous older TAN procedures without dynamic linking had to be abolished and are no longer applicable for the scope of PSD 2. One or the other will have already noticed changes at their bank.
Regardless of the type of remote payment transactions:
- The authentication code may only be used once
- It must not be possible to generate a new authentication code based on the code
- It must be ensured that the code cannot be forged
- The code must not be based on any of the secure elements explained below, such as "knowledge", "possession" and "inherence" and the associated information
- Communication processes must be protected against unauthorized data access and manipulation
- Fraudulent transactions can be detected before they are carried out, blocked or avoided altogether
- Additional mechanisms for a time restriction to access a payment system (e.g. through failed attempts)
- The security of the respective authentication procedure is regularly tested and evaluated by internal or external, certified auditors.
The additional security elements:
Merkmal BesitzDas kann ein Token sein, eine Chipkarte oder ein Mobiltelefon.
More Conversion with PSD 2: Exceptions to Strong Customer Authentication
Exceptions to strong customer authentication are intended to minimize the effort on the part of retailers and consumers. After all, despite all security, smooth payment transactions must be guaranteed and e-commerce must be promoted and not hindered. The most relevant exceptions are:
Low risk transactions
This exception is based on the provider's transaction monitoring measures, which react to abnormalities in a transaction, for example. If, for example, anomalies are detected in location information, sample processes for purchases or the behavior of the buyer, authentication is only then necessary again. Depending on the type of transaction, the fraud rate in the respective product group is also relevant for the Payment Service Provider (PSP) or payment service provider.
Trusted Beneficiaries (Merchant Whitelisting)
If the payer has specified trustworthy payees via his PSP or his bank, the strong authentication only has to be carried out initially and once.
Low value transactions
If the value of the transaction is not more than EUR 30 and the cumulative amount of the last 5 transactions since the last authentication process does not exceed EUR 100, the consumer is exempted from a new verification.
If a series of recurring payments are made for the same amount to the same payee, the SCA will only be applied to the first transaction and not to subsequent payments. This applies to subscriptions, for example. ## What are the benefits of PSD 2 for online retailers?
- A trusted online retailer is whitelisted faster and much more likely to see a conversion boost.
- PSD 2 payments are of course designed and optimized for smartphones. This plays directly into the hands of the digitally oriented target group in particular.
- PSD 2 gives customers of an online shop more control over their payment methods. At the same time, the payment processes are streamlined for all parties. Cheers to the customer experience.
- The number of payment service providers is increasing significantly. The growing variety of offers is also reflected in the financial outlay for shop operators.
- The PSD 2 secure payment process reduces fraud rates. The trust of the customers in the shop of their choice increases and the loyalty is strengthened by the probable dealer verification.
- Customer information from payment initiation and other account information services offer new opportunities for cross-selling, product loyalty and credit evaluation. With the aggregated data, companies will be able to do more: • Optimize target products, pricing and cross-selling based on the aggregated view of all user spend streams. • Implement better risk management by accessing consolidated user payment trends. • Provide financing services based on analysis of trends, habits and aggregated financing opportunities.
What online retailers need to do now
Know what PSD 2 is all about Information is the be-all and end-all. As with the GDPR, it is important to know exactly what is going on, or at least to turn to someone who knows.
Inform employees PSD 2 is not a theme that can be implemented in an online shop with one click. And even if they did, the educational work is far from over. Both customers and employees will have questions and specialist knowledge is required.
Ensure low fraud rates The lower the fraud rate for payment transactions in an online shop, the higher the probability that strong customer authentication does not have to be used in the first place. Those who ensure security beforehand have less to do afterwards.
Proceed in an orderly manner The important thing is that the payment service providers and the banks must guarantee the development of their services. Only the integration into the shop system is up to the online retailer. A roadmap of when and how the implementation is to be carried out keeps the effort on the key date within limits.
Pay please, but how? There will also be different payment methods as part of PSD 2. Some are more convenient for customers, while others are not. Anyone who keeps an eye on innovations and the wishes of their customers will be rewarded with trust and increasing conversion.
So much new data With payment service providers according to PSD 2, a shop gets approved insight into certain account data of its customers. This allows cross-selling and personalized offers to be created. A real sales boost.
Inform the customer If a customer is suddenly supposed to give an external service provider access to his account, things get tricky. Ideally, the shop has reassuring information on offer. Because he does not access the online banking itself, but only the relevant account service information. With the right information strategy directly in the shop and in customer service, any problems can be resolved before they arise. Nobody likes abandoned carts.
Merchants are required to integrate the changed processes of the PSPers into their systems and into their checkout process by the deadline.