Here’s everything you need to know to make sure you’re in compliance with the Payment Services Directive (PSD2) by the end of 2020

There’s a good chance you’ve heard a lot of talk about the Payment Services Directive (PSD2) recently—and for good reason. It’s about to change the relationship between financial institutions, merchants, and consumers across the European Union (EU) and the European Economic Area (EEA) in a pretty massive way.

In this post, we’ll quickly review what PSD2 is as well as why PSD2 compliance is so important in today’s ever-evolving e-commerce environment, so you can be prepared for what the future of widespread open banking has in store for your business.

Explaining PSD2 in the simplest  way possible

If there’s one thing we’ve grown to accept these days, it’s that there’s no shortage of regulations, each with its own ominous-sounding acronym, challenging and changing the status quo of the e-commerce industry. This comes at a time when growing concerns around data privacy and payment security—in the face of new technological innovations—continue to be top-of-mind for regulators, financial institutions, merchants, and consumers. It was really only a matter of time until the broader rules of how we transact online had to fundamentally change.

So, what is PSD2 exactly? In short, it was developed to create a safer, more integrated European payments market, one that ultimately puts more control in the hands of consumers and sets a new standard for online payments across the EU. It was also conceived to even the playing field and increase cooperation and collaboration between banks and fin-tech players.

PSD2 officially went into effect on September 14, 2019. However, because of mounting technical difficulties and delays faced many key players—banks (issuers and acquirers), payments service providers (PSP), merchants, and other fin-tech institutions—when becoming PSD2-compliant, especially around the implementation of Strong Customer Authentication (see below), the European Banking Authority granted an extension for full implementation to the end of 2020.

Once implemented, the most notable changes affecting merchants will include:

Banning (certain) surcharges 

Merchants will no longer be allowed to pass through credit card transaction fees (“surcharges”) to their customers for payments made using “consumer” credit or debit cards—i.e. those issued in the name of the purchaser. Merchants will, however, still be able to pass on these surcharges for payments made using business or corporate cards—i.e. those issued in the name of corporate entity—when purchasing business-related goods or services.

Strengthening customer authentication 

PSD2 champions Secure Customer Authentication (SCA) and, thus, will require all customers to confirm their identity, assuring that they are the rightful owners of the credit or debit cards they are using to make purchases, via two-factor authentication (2FA). The objective here is to protect both consumers from fraud—due to credit card theft—and merchants from processing potentially fraudulent chargebacks.

As an additional safety measure, Visa and Mastercard will also require merchants to implement 3D Secure (3DS) and/or Apple Pay security solutions in their online and mobile stores.

After implementation, customers will be required to identify themselves via two of the following three methods (for payments made within the EEA):

1. Knowledge: Information that only the customer knows
   This includes: PIN codes, unique passwords, and confirming a credit card CVV code.
2. Possession: Objects that only the customer owns
   The includes: one-time passwords (OTP) sent via text, on-screen QR codes to be scanned by an authenticator app (i.e. Google Authenticator) on a registered device, or codes provided by an authenticator app that change every 60-seconds or less.
3. Inherence: Physical attributes that only exists within the customer’s physical being
   This includes: biometric features (i.e. fingerprint or face scanning) on a registered device.

Not all transactions will require strict SCA compliance. For a full list and explanation of the various exemptions, check out this useful documentation created by Visa.

What comes next? 

Obviously, there’s quite a bit that needs to happen before the end of the year to ensure that PSD2 goes into full effect. Here are some key milestones to keep top of mind:

• October 18, 2019: EMV 3DS 2.1 \ Mastercard mandate for issuers.
  Mastercard issuers can now reject (“soft decline”) authorizations made in the EEA for merchants that have not implemented 3DS V1. Once implemented, however, these authorizations can be resubmitted and authorized with 3D. This is known as “Step Up.”
• March 14, 2020: EMV 3DS 2.1 \ Visa mandate for issuers.
  The same as above will apply to all Visa issuers. All merchants should implement 3DS into their payment flows. For merchants that have not yet implemented 3DS V1, they can skip over that step and move forward with 3DS 2.1 immediately.
• July 1, 2020: EMV 3DS 2.1+ \ Mastercard mandate for issuers.
  By this point, all merchants should support EMV 3DS 2.1 in their payment flows and/or be ready to Step Up. As a point of reference, EMV 3DS 2.1+ is an intermediary step between EMV 3DS 2.1 and 2.2, which will now recognize and allow certain SCA exemptions in the payment flow.
• September 14, 2020: EMV 3DS 2.2 \ Visa mandate for issuers.
  All merchants should support EMV 3DS 2.2 at this point in order to recognize and allow all SCA exemptions. Step Up can still happen here.
• December 31, 2020: Full PSD2 SCA implementation.
  All issuers must support EMV 3DS 2.2 at this point. American Express is the only issuer that will still allow EMV 3DS V1.

PSD2 compliance made easy with Nexway 

Our goal here was to simplify the complexity of PSD2 as much as possible and, hopefully, give you a little more line of sight into what the rest of the year holds as we all work towards full PSD2 SCA compliance. The good news for you: with Nexway as your Merchant of Record, your online sales will automatically be fully compliant with these new regulations. This includes:

• Immediate SCA implementation in your cart and checkout flow.*
  *when required, for purchases made within the EEA
  
• Industry-leading real-time fraud detection, powered by artificial intelligence (AI).
• Conversion rate optimization via our advanced fraud management, strong authentication, and two-factor authentication exemption programs.
• Peace of mind knowing that Nexway is a trusted and well-established merchant across our broad network of payment services providers (PSP).

With PSD2 compliance looming in the not-too-distant horizon, there’s no better time than now to get prepared.
Nexway can help make this easier than ever. Contact us today to learn more.