Are you ready for PSD2?

The idea behind the new directive is partly to protect consumers from fraud, but also to promote innovation in payments and financial services. To spur innovation, PSD2 has taken away the bank’s monopoly over their customer’s account information and bank customers are now free to give third party suppliers access to their account details and let them initiate payments directly from their account.

In this way, PSD2 is giving consumers full control over their own account information and banks are forced to give any third party supplier, who fulfills the legal requirements, access to their platforms through APIs.

This new system, often referred to as Open Banking, is still in its early stages and most observers expect that the intended “boom” of new payment and account information services is still a few years away. Already this September, however, we will see a more tangible effect of the new directive.

Stronger payment security

In order to prevent fraud, PSD2 contains new security regulations for digital payments that come into effect on December 31st. At the heart of these regulations are what is called strong customer authentication (SCA) and secure communication.

The demands for secure communication primarily effect the underlying payment infrastructure and won’t be visible for the average merchant or consumer. The demands for strong customer authentication will, on the other hand, effect online merchants and consumers in a more direct way.

What is strong customer authentication?

On a practical level, strong customer authentication means that customers have to identify themselves by using at least two of the following three factors when making any digital payment or logging into their bank accounts.

• Knowledge
  Something that only the customer knows, like a password or PIN.
• Possession
  Something that the customer owns, like a phone or a card.
• Inherence
  Something that the customer “is”, for example biometric features like face recognition or fingerprint.

This means that consumers, in practice, will no longer be able to make a card payment online by using only the information on their cards. Instead they will have to, for example, verify their identity on a bank app that is connected to their phone and requires a password or fingerprint to approve the purchase.

There are, however, some transactions to which the SCA rules won’t apply. Orders placed through email and over the telephone are not subject to SCA rules as well as merchant initiated transactions (MIT). An MIT is a transaction initiated by the merchant instead of the cardholder, for example when a hotel stores card information and charges the guest for their mini-bar expenses after they have checked out.

Exemptions from SCA

To make things easier for both merchants and consumers, PSD2 allows for some exemptions from strong customer authentication. What’s important to note is that all transactions that qualify for an exemption won’t be automatically exempted. In the case of card transactions, for example, it’s the card issuing bank that decides if an exemption is approved or not. So, even if a transaction qualifies for an exemption the customer might still have to make a strong customer authentication, if the card issuing bank chooses to demand it.

• Low value transactions
  This exemption will, most likely, be the most frequently used. The exemption says that if a customer makes a purchase for under 30 euros they can be exempted from making a strong customer authentication. This exemption is limited and if a customer makes five such transactions in a row or reaches a value of more than 100 euros, a strong customer authentication will always be required.
• Subscriptions
  Another type of transaction that can be exempted is recurring and subscription payments where the sum for each transaction is the same. For these transactions a strong customer authentication will only be required when the customer first signs up for the subscription and not for every individual transaction.
  
• Risk analysis
  Exemptions can also be made based on what is called “transaction risk analysis”. This means that a payment service provider, like Bambora, can be allowed to make exemptions for transactions that are deemed as “low risk” based on the requirements in PSD2’s technical standards. This exemption has a limit when it comes to transaction value and can only be applied if the payment service provider has a sufficiently low fraud rate for that specific type of transaction.
• Whitelisting
  A final type of exemption is called whitelisted recipients. Whitelisting means that a consumer can register certain payment recipients as “trusted” with their card issuing bank. By doing that they won’t have to carry out a strong customer authentication when paying to that specific recipient.

What merchants need to do to comply with PSD2

On December 31st, these rules will come into effect for all digital payments in Europe. Right now, banks, payment service providers and card networks are all working on technical solutions that will comply with the requirements for PSD2. To accept payments after September 14^th you will have to make sure that these technical solutions will work with your online store.

Accepting payments from the world’s largest card networks, Visa and Mastercard, will require that you have implemented the security solution 3D Secure for your online store. 3D Secure has been used since 2001 to improve the security for online card transaction but now a new version has been developed that can also deal with the exemptions in PSD2.

Bambora have previously recommended all our customers to use 3D Secure, since it helps prevent fraud and also protects the merchant from liability in case of any fraud. From September 14^th it will also be a requirement for accepting payments from Mastercard and Visa cards. For you as a merchant it is therefore important to make sure that your payment service provider has implemented for 3D Secure.

For customers that are using Bambora’s solution for online payments, Bambora Checkout, Bambora Online and Payform, this adjustment will be completely seamless. Before December 31st, we will implement 3D Secure for all our online merchants, allowing them to continue accepting card payments.