How Does PDS2 Affect Your Business?
Regulators in the EU and UK have recently introduced substantial reforms to payment standards. Their aim was to establish a more harmonized, global banking standard, envisioning one universally accepted model. The Revised Payment Service Directive, commonly known as PSD2, is the most notable of these reforms.
Ideally, PSD2 should have ushered in an era of novel opportunities for businesses and consumers. However, like most major policy shifts, it falls a bit short of fulfilling all expectations set by regulators.
What is PDS2?
The Revised Payment Services Directive, or PSD2, is a set of regulations governed by the European Commission. Its primary objective is to supervise payment services and providers across the European Union and European Economic Area, enabling new players to function as financial institutions under proper regulatory control.
PSD2 builds upon its predecessor, pushing towards a more unified and competitive market. It eliminates obstacles for new payment services to enter the market, aiming to benefit consumers by fostering a more competitive landscape.
Moreover, PSD2 places significant emphasis on enhancing data security standards. It requires the implementation of Strong Customer Authentication protocols and broadens consumer rights in general. The directive puts a cap on the costs linked to card payments and insists on improved fraud protection for consumers.
What are AISPs & PISPs?
Under PSD2, open banking becomes a reality, ushering in exciting possibilities. Now, well-known platforms like Facebook and Google have the potential to deliver an array of innovative financial services to their users.
Account Information Service Providers, or AISPs, can, upon a customer’s permission, gain insight into that individual’s banking data. This access can be harnessed to study a user’s spending habits across one or more banks.
Payment Initiation Service Providers, known as PISPs, have the capability to initiate transfers without the need for direct bank intervention. Examples include services for peer-to-peer transfers or centralized bill payments, enabling customers to manage accounts from various banks in one place.
This emergence of AISPs and PISPs opens the doors for non-bank entities to offer specialized financial services, breaking away from conventional banking models. The idea is that these third-party providers can essentially “hitch a ride” on a bank’s established infrastructure. All of this is made feasible through the use of open APIs (Application Program Interfaces).
What is Strong Customer Authentication (SCA)?
Strong Customer Authentication (SCA) is a fresh mandate introduced by the second Payment Services Directive (PSD2) with the goal of fortifying the security of electronic transactions.
SCA necessitates that banks carry out supplementary verification steps when consumers initiate payments to validate their identity. This process involves the banks seeking a blend of two different types of identification evidence at the payment gateway. The types could be:
- Knowledge: This refers to something only the user knows, like a password or a PIN.
- Possession: Something the user physically possesses, such as a mobile phone, card reader, or another device verified by a one-time passcode.
- Inherence: Unique biological user traits, like a fingerprint, which are intrinsic to the individual.
What SCA Exemptions Are Allowed Under PSD2?
In essence, any entity that processes or manages payments within the EU or UK needs to adhere to the PSD2 regulations for the majority of transactions. However, certain scenarios may permit exceptions to this rule.
Exemptions to the Strong Customer Authentication (SCA) requirement might include:
- Low-Risk Payments: Transactions amounting to less than €30.
- Fixed-Amount Subscriptions: SCA applies only to the initial transaction.
- Trusted Beneficiaries: Businesses deemed as ‘trusted sources,’ such as utility providers. The list obf such entities is maintained by the customer’s bank.
- Corporate Payments: Payments made on behalf of a centralized entity, including corporate travel expenses, meals, hotel bookings, and the like.
- Payments Made with Saved Cards: While customer authentication is mandatory, the bank retains the right to reject the transaction.
How Does PDS2 Affect Conversion?
The introduction of the new regulations caught the European market off guard. Increased customer drop-off rates and 3DS malfunctions are leading to unnecessary tensions between vendors and card users, who are now accustomed to smooth and hassle-free payment experiences.
A report by Forter suggests that a high percentage of 3DS authentication rejections stem from either technical glitches or issuer disapprovals. This hints that the payment infrastructure might not be adequately equipped to manage the changes brought about by the new regulation
How Can Merchants Maximize Conversion While Remaining Compliant?
Merchants seeking to stay competitive and maintain PSD2 compliance may consider disabling any problematic 3DS technology for now, shifting their focus to alternative fraud prevention strategies.
It’s crucial for merchants to prevent fraud and chargebacks as they strive to bolster their profits, doing so in a manner that is ethical, smart, and practical.
Here are some strategies to consider:
Deploy Fraud Tools
Beyond 3DS, there are several other fraud prevention instruments to leverage, which can collectively fortify your transaction security. These could include AVS, CVV, and two-factor authentication, among others.
Perform Regular Audits
Carrying out frequent audits of all internal operations can help ensure that necessary actions are taken. Regular checks can help ascertain whether you’re keeping pace with tech advancements and if your staff is following the established guidelines.
Keep Software Up-to-Date
Outdated software can pose numerous challenges, particularly outdated fraud prevention systems that might miss new threats. Therefore, staying on top of all software updates and patches, and implementing them promptly, is crucial.