PSD2: What you need to know about the 2nd Payment Service Directive

In the past few years, the online payment landscape has changed considerably, driven by the rapid technology evolution. 

Consumers have become multi-devices and perform their online activities on both mobile and web applications. On the other hand, merchants must offer diverse payment options, trying simultaneously to increase processing speed and reduce consumer friction. Banks and online payment providers, then, are asked to set their bars high to grant customers protection from online fraud. 

This is just a brief explanation of why the European Commission proposed adapting the existing Payment Services Directive with an updated version, the 2nd Payment Service Directive (PSD2).

In this article, we give an overview of this new regulation, summarizing the key points banks and online payment providers must consider to ensure the best service for their customers.

PSD2 is a framework designed by the European Commission to reach three main objectives: 

• Contributing to a more integrated and efficient European payment market;
• Further leveling the playing field for payment service providers by including new players; 
• Enhancing European consumers' and businesses’ protection by making payments safer and more secure.

In short, the PSD2 fosters innovation and competition in retail payments while safeguarding the security of payment transactions and consumer data protection.

Players operating in the online payment market, such as banks, payment service providers, merchants, and consumers, will be affected by the new regulation and must meet the requirements by the deadline set at the European level. 

All European countries must comply with the Directive, as well as global companies that deal with European users.  

Achieving the defined goals means for companies to meet specific requirements the European Commission sets. Let’s go through them together.

Fortifying security with SCA 

The cornerstone of this regulation update is Strong Customer Authentication (SCA) compliance, which requires online banking customers to perform an extra authentication step before authorizing payments from their accounts.

Customer authentication is a process used to validate the user’s identity. It is considered to be strong if linked to:

- something only the user knows, like a password or a PIN;

- something only the user possesses, like a card or an authentication code-generating device;

- something the user is, like using a fingerprint or voice recognition. 

These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data.

For online payments, the security requirements also include a dynamic link to the amount of the transaction and the account of the payee, minimizing the risks for the user in case of mistakes or fraudulent attacks.

However, the Commission excludes the SCA requirement for certain payments, such as low-value payments at the point of sale, repeat payments, transactions between trusted parties, or specific remote transactions, like contactless payments. 

Transaction risk assessment 

PSD2 requires banks, online payment, and financial services providers to have the capability to monitor online transactions and assess the risk via clearly defined metrics.

This implies the practical need to adopt Transactional Risk Analysis (TRA) mechanisms to detect in real-time several risk indicators in a user session and thus minimize the risk of fraud.

Among others, the risk indicators must include the following:

• effective malware detection
• device compromisation
• application and content tampering
• behavioral anomalies

These risk indicators need to be generated in real-time to carry on an effective assessment of instant services, such as instant payments.

This is a key requirement to ensure the basic level of security for online customers and unlock effective implementation of SCA dynamics.

Opening doors for third-party providers

PSD2 represents a gateway for third-party payment service providers to enter the EU payments market. This is possible thanks to open banking, which allows third-party providers to access customers' account information via APIs (Application Programming Interfaces). 

The PSD2 strengthens the regulation of all such third-party payment service providers to grant an equal level of competitiveness with banks and a significant level of security for customers’ sensitive information. 

Navigating liability

Who's responsible in case of an unauthorized payment? PSD2 clarifies the rules. 

If an unauthorized transaction occurs through a payment initiation service provider, the account-servicing payment service provider must refund you. 

If the payment initiation service provider is at fault, immediate compensation is in order.

Empowering consumers

Enhanced consumer protection means immediate refunds for unauthorized transactions. Whether it's a lost wallet or a data breach, you're not held liable if you didn't know about the loss. 

No more surcharges

PSD2 prohibits merchants from charging extra fees for specific payment methods, ensuring fairness and transparency. The ban covers transactions within the European Economic Area, promoting a level playing field.

Transparency first of all

PSD2 strengthens the need for companies to provide transparent information to their customers to ensure conscious decisions. 

If the changes proposed by PSD2 are undoubtedly making life easier for customers by increasing their protection and facilitating their account data management for banks and payment providers, they represent a real challenge to face in the following years. 

Open banking ends the monopoly of users’ financial information, increasing competition and forcing traditional banks to rethink their services to retain loyal customers. 

Moreover, it opens up new fraud attacks that SCA can limit but can’t eliminate. 

In this context, having the proper fraud protection is paramount.

Achieving PSD2 compliance with traditional fraud management solutions presents several challenges, including:

• Missing malware detection capabilities for detecting signs of malware infection, either during the authentication phase or in any other phase;

• Required application changes that impact application development and affect the ability to deliver new business functions;

• Long implementation time and huge implementation effort caused by solution complexity and available integration approach.

Moreover, banks and financial institutions need to ensure that their fraud management system complies with privacy and data management regulations (e.g. GDPR in Europe, EPPA in California, LGPD in Brazil) to guarantee the correct use of customers’ data.

Cleafy fills the gap with a comprehensive fraud management platform that continuously monitors everything across all digital channels along the entire user journey, even before the authentication phase begins.

We enable banks and financial institutions to reach full PSD2 compliance thanks to four key capabilities of our platform: 

• Instant Payments protection
  Cleafy solution works in actual real-time and lets fraud management teams set rules to detect threats and automatically respond at scale.

• Transaction monitoring and risk analysis
  Cleafy patented technologies allows to monitor transactions and correlate in real-time hundred of risk indicators to evaluate the risk based on patterns and not generic risk scores 

• Advanced malware detection
  Cleafy’s malware detection has proven to be incredibly effective. Our Threat Intelligence Team, C-Labs, leverages our technology to discover even the most advanced zero-day malware around the world.

• Real-time risk-based SCA enablement
  With the possibility to see every single detail of the session and automate responses based on logical patterns, Cleafy enables banks to design the optimal security posture and trigger SCA only when is actually necessary.

• Open Banking Channel protection
  Monitoring API’s and correlating events across sessions means effective protection for open banking channels.

So far, we have helped many global brands to reach PSD2 compliance in a few months and, therefore level up the quality of service for their online customers, both in the retail and corporate banking space. 

If you want to learn more about how we can prepare you face PSD2, contact us. 

‍

‍

‍

‍

‍

‍

‍

‍

‍

Sources:

• The revised Payment Services Directive (PSD2) and the transition to stronger payment security (European Commission)
• PSD2 in a nutshell (PwC)