So that consumers do not have to deal with unscrupulous companies, in 2015 the European Commission adopted a revised version of the Payment Services Directive. What exactly is behind PSD2?
PSD2 directive: what is it?
PSD2 is a revised version of the payment services directive (DSP), initiated in 2007. It was adopted by the Council of the European Union on November 16, 2015 and entered into force in 2019. It governs, at European level, payment transactions carried out by companies which are not considered traditional banks. The objective is to enable new players to offer innovative payment services via the Internet, and therefore to stimulate and regulate competition in the financial sector at the same time.
The Payment Services Directives, in versions 1 and 2, have several objectives:
- Opening up competition in payment services
- Reduce costs for consumers
- Control and strengthen start-ups in the financial technology sector (Fintech)
- Create more security when making online payments
The Payment Services Directive 2 in detail
Version 2 of the Payment Services Directive was adopted in 2017 and transposed into French law on July 25, 2018. One of the most important innovations is that banks must now allow other providers to access their customers' information. Only, of course, if the user concerned gave his agreement.
Banks must provide interface to authorized providers so that they can directly make transfers and obtain information on account balances and other financial details of customers.
In the sector of Fintechsome companies offer innovative software that allows users to manage their assets. Applications allowing you to save, take out insurance or speculate on the stock market need information from the bank. Since the entry into force of PSD2, banks are required to offer companies with corresponding certificates an interface allowing service providers to view the necessary information and make payments or transfers.
Note
Even with PSD II, companies cannot arbitrarily access your sensitive financial data. Indeed, in addition to authorization from the authorities, service providers notably need your explicit consent to obtain data from your bank.
Although service providers have had access to information from the bank account in the past, they did not have uniform access to it. With DSP2, APIs must be developed in order to be able to communicate over secure interfaces. Internationally, if businesses don't have an API, they have to depend on a technology called Web scraping. In this process, the service provider extracts all the information from the online banking provider's website. This method is unreliable and prone to errors. This is why PSD2 requires banks to set up a secure account access interface (XS2A). This allows authorized service providers to access customers' banking information, provided that the latter have given their explicit consent.
PSD2 also offers solutions so that the transfer of sensitive data via interfaces takes place without risk for consumers. There data security is guaranteed in two different ways:
- QWAC : this certificate allows the supplier and the bank to identify each other mutually. Additionally, QWAC encrypts data transmission.
- QSealC (stamp certificate): the stamp is linked to the data and assigns it to a company. It subsequently makes it possible to track which companies had access to the bank account via the interface and transferred data. Additionally, the stamp ensures that data changes do not go unnoticed.
To apply for these licenses or stamps, suppliers must obtain theapproval from a national supervisory authority ; in France, this is the Prudential Control and Resolution Authority (ACPR). DSP2 allows the creation of two new services:
- Account Information Service : Service providers can obtain information about the customer's bank accounts.
- Payment initiation service : the company holding this license can make payments or transfers at the customer's request from the account of another PSP (Payment Service Provider or payment service provider).
What does the Payment Services Directive mean for online stores?
The Payment Services Directive largely concerns banks and other financial service providers. The general public has barely noticed the changes in the background. For online merchants, some technical adjustments were necessary, particularly in terms of security and authentication.
PSD2 from the user's point of view
DSP version 2 brought more security in payments. Licensing of technical solutions as well as monitoring by supervisory authorities have ensured more reliable protection of sensitive data since the entry into force. In particular, thetwo-factor authentication requiredfor example via SMS with a TAN, is an important factor in this regard.
Noticed
With the introduction of two-factor authentication, the now obsolete iTAN lists are gradually being replaced for online banking. In this area too, banks are increasingly relying on SMS, apps or special TAN devices.
Online merchants & DSP II: what should you watch out for?
Many aspects of the Payment Service Directive 2 are related to technical implementation, such astwo-factor authentication requirement and associated mechanisms.
This requirement corresponds to thestrong customer authentication required by PSD2. Customers must authorize the transfer of money by at least two factors: either with information that is personal knowledge (e.g. password or PIN), or with an object that one possesses (e.g. card or smartphone), or with something inherent to the person (e.g. voice or fingerprint). This applies to all amounts over €30. If multiple purchases on a single day exceed a total value of €100, two-factor authentication (2FA) is required again, even if each individual item falls below the €30 threshold.
To be able to make payments, operators of an online store usually work together with a partner. The latter must implement the requirements of PSD2 in its system. THE credit card institutes for example, offer important measures with security procedures such as 3D Secure. E-commerce sellers simply need to ensure that their store correctly integrates such security procedures.
Strong customer authentication requirements do not apply to direct debitsalso called pull paymentswhere the merchant initiates the payment by requesting the funds from the customer's bank. They only concern payments initiated by the customer (push payments), such as bank transfers or card payments. In these cases, the use of an enhanced security procedure is OBLIGATORY.
Note
In France, two-factor authentication must be implemented in online stores since May 15, 2021.
DSP2 no longer authorizes surcharge. Before the application of the directive, it was common for merchants to demand an increase in the purchase price for credit card payments, in order to avoid having to bear the resulting additional costs.
Evolution of the Payment Services Directive: from PSD I to PSD II
With the first version of the Payment Services Directive, the European Commission has taken a decisive step in the regulation of international payments. The DSP laid the legal foundations allowing non-bank service providers to operate in this sector, while harmonizing transactions on a European scale thanks to the establishment of the SEPA area (Single Euro Payments Area), which aims to facilitate payments in euros within the EU. This directive thus put end of monopoly credit institutions on payment services.
However, not all companies can act as a payment institution. The Payment Services Directive has set strict criteria that such a provider must respect. However, despite many clear rules, uncertainties remain and a certain margin of maneuver remains open: some of these problems have also appeared since the directive came into force.
With the PSD2 directive, the EU is trying to close these gaps and further improve consumer safety. This can be done, for example, by issuing certificates or stamps, which can only be obtained from approved organizations. PSPs must obtain authorization from a national banking authority.
Please consult the legal notices in force on this article.
