PSD2: The Ultimate Step-By-Step Guide to Compliance · The directive will allow ‘merchants’ like ecommerce stores to retrieve a customer’s account data from their bank, with

PSD2: The Ultimate Step-By-Step Guide to Compliance

PSD2: The Ult imate Step-By-Step Guide to Compliance | 2

Table of ContentsWhat is the PSD2? .....................................................................................................................................3

What is the Potential Impact of PSD2? .............................................................................................. 13

Who is Affected? ...................................................................................................................................... 15

What Software Companies Need to Ensure Compliance ............................................................ 17

The Penalties for Non-Compliance .................................................................................................... 19

Who is Exempt? ........................................................................................................................................ 21

The Benefits of Working with a Full-Service Partner ................................................................... 23


The Second Payment Services Directive (PSD2) was established to benefit consumers by driving payment innovation and data security. It mandates new security processes and encourages standardized technology for online payments.

What is the PSD2?

The directive means all payment providers who process payments for consumers in the European Economic Area (EEA) must adhere to new requirements for authenticating online payments.

PSD2 will impact all transactions that originate in the 28 EU member states, along with payments made in Iceland, Norway, and Liechtenstein.

28 EU member states 3 non-EU member states (Iceland, Norway, and Liechtenstein) of the EFTA Out of scope


The primary goal of the directive is to create a single integrated market for payment services by standardizing the regulations for banks and new payment service providers. The directive will also recognize and regulate Third-Party Providers (TPPs) that are allowed to access or aggregate accounts and initiate payment services.

The directive is built on three core pillars to provide further competition and transparency when it comes to payment services:

What’s the difference between the EU and the EEA?

The European Economic Area (EEA) Agreement is an agreement that brings together the European Union member countries and the three EEA/EFTA states (Iceland, Liechtenstein and Norway) into a single market. The overall purpose of the agreement is to strengthen trade and economic relations between the countries. It also removes trade barriers and imposes equal conditions of competition and compliance with the same rules for each state.

1. Third party provider (TPP) regulation

• Account Information Service Providers (AISP) - Consolidate current account information

• Payment Initiation Service Providers (PISP) - Initiate payment order

• Regulation enables TPPs and sets standards for them

2. Access to accounts

• Banks to open access to account information of their clients to TPPs for free

• Access authorized through client’s consent, no need for bank’s consent

• No need for contractual arrangements between TPP and banks

3. Strong authentication and secure communication

• Stronger security requirements for the initiation/processing of electronic payments and financial data (“stronger customer authentication”)

• Strengthening of consumer rights (e.g. through reduction of liability for non-authorized payments)


2000 M A R C H Lisbon Agenda to make Europe “the world’s most competitive and dynamic knowledge-driven economy” by 2010

2007 D E C E M B E R 2 5

PSD entered into force

2013 J U LY

Report on implementation of PSD and its two updates. All financial institutions offering an API

solution must have it available for external testing by PISPs and AISPs

2019 S E P T E M B E R 1 4 *

The final deadline for all companies within the EU to comply with PSD2’s Regulatory Technical

Standard (RTS) pertaining to directive (EU) 2015/2366 (PSD2)

*Several countries in the EU/EEA have announced delays for PSD2 compliance.

2002 European Payments Council created by the banking

industry, driving the Single Euro Payments Area initiative to harmonize the main non-cash payment

instruments across the Euro area (by end 2010)

2005 D E C E M B E R Proposal for PSD by DG Internal Market Commissioner McCreevy

2015 N O V E M B E R 1 6 The Council of the European Union passes PSD2, giving member states two years to incorporate the directive into their national laws and regulations

2012 Regulation on cross-border payments, ‘multilateral interchange fees’ (EU Regulation 260/2012)

It might seem like the directive is bringing about a lot of new changes in a short period. In reality, the legislation leading up to PSD2 has been in the works for more than 19 years:

PSD2: Timeline


Currently, banks control all of their consumer’s data. PSD2 aims to break down the bank’s monopoly over this data.

The directive will allow ‘merchants’ like ecommerce stores to retrieve a customer’s account data from their bank, with their permission. If we break it down, the directive will mean a customer can buy an item online without being redirected to an authentication payment screen, for example.

The European Commission says the PSD2 will achieve three specific goals:

The protocol will mean the online payment field is open to any entity willing to offer financial services, but only if they’re secure. And that’s why PSD2 relies on merchants having Strong Customer Authentication (SCA) in place.

What is Changing with the PSD2?

1. Improve consumer protections in online payments

2. Promote greater innovation in online and mobile payments

3. Make cross-border payments more secure

https://europa.eu/rapid/press-release_MEMO-15-5793_en.htm


The backbone of PSD2 is security, which is why any merchant who wishes to be compliant with the protocol must have Strong Customer Authentication (SCA) in place. SCA will increase the security of online payments and aims to reduce fraud.

To be compliant with the directive, merchants must implement SCA which requires two-factor authentication on all transactions (unless the transactions are exempt).

At its core, SCA approves a transaction based on the strength of its security. It needs two factors of identity document verification to prove that the customer is whom they say they are.

Strong Customer Authentication (SCA) and What it Means for the PSD2

To be SCA compliant, the customer must be in possession of two of these three properties:

1. Knowledge Something only the user knows, like a PIN or a password

2. Possession Something only the user possesses, like their phone or a smartwatch

3. Inherence Something the user is, like their fingerprint or facial recognition

In addition, the elements selected must be mutually independent, which means that the breach of one should not compromise any of the others. If you are a payment service provider, you need to provide SCA to support all eligible transactions.


Blocking a user’s account after five failed authentication attempts

For any remote transaction, a unique authentication code must be provided to the consumer to link them with the transaction they’re attempting to make. The code should only be used once, it cannot be a code from a previous transaction, and it should be impossible to forge

If the consumer is inactive for five minutes or more, they should be automatically logged out of the transaction for safety reasons

The principles and security measures of PSD2 also require merchants to follow strict security protocols when it comes to transactions like:

The most common way merchants can meet the demands of SCA is to implement the 3-D Secure messaging protocol (3DS). A new version of the 3DS has been released called 3DS 2.0 (or 3DS2) that will authenticate transactions using a biometric method that many mobile phones already offer like fingerprints and facial recognition.

Let’s take a look at how 3DS2 works.


Previously, in 3D Secure 1 (3DS), a customer would enter their card details and then be redirected to a 3D Secure page to authenticate the transaction and hopefully reduce fraud. However, this created friction in the buying process, which 3DS2 hopes to eliminate through smarter authentication.

Under 3DS2, if the customer’s bank believes a transaction is secure, the customer won’t even go through SCA, and they can complete the transaction without any friction. This will not only benefit the consumer, but it’s great news for merchants, too. According to Adyen, 3DS1 had a significant drop off rate due a confusing customer experience, so 3DS2 has the opportunity to boost transactions for merchants.

There are two core reasons why using 3DS2 is the best way merchants can become PSD2 compliant. Firstly, 3DS2 creates a liability shift. When a merchant implements 3DS2 transactions, they are no longer responsible for chargebacks due to fraud or any other problem that may arise from the transaction itself. A transaction using 3DS2 will look like this:

The Importance of Implementing 3DS2 Secure Transactions

https://www.adyen.com/blog/3d-secure-20-a-new-authentication-solution

https://www.adyen.com/blog/3d-secure-20-a-new-authentication-solution



Let’s use an example of how using a 3DS2 transaction could protect a merchant in a real-life situation. If a stolen credit card is used in a fraudulent transaction, but a merchant already has 3DS2 in place, the liability of the fraudulent transaction shifts from the merchant to issuing card’s bank.

If your business also operates on a subscription basis, PSD2 will flag the transaction as a ‘one-off’, so your customer doesn’t have to go through the whole secure process every time you take payment for the subscription.

Merchants who adopt 3DS2 and use it for their online payment gateways will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication.

The second reason merchants need to use 3DS 2.0 to become PSD2 compliant is consistency. Merchants who adopt 3DS2 and use it for their online payment gateways will be able to offer a consistent, easy-to-use service across multiple payment gateway platforms and digital media during transaction authentication. By doing this, merchants can improve the consumer experience for their customers and give them a safe and secure transaction process.


The introduction of PSD2 will integrate Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) to help secure transactions online. The result will be a more secure transaction for both merchants and customers by using APIs.

What is an AISP? An AISP is a regulated TTP who has access to the account information of bank customers. AISPs aim to analyze a customer’s spending behavior and combine a customer’s account information (if they utilize more than one bank) into a single overview.

What is a PISP? A PISP is a service provider that will initiate and finalize a payment on behalf of a customer. Transfers, transactions, and bill payments are likely to use PISP services when the PSD2 is implemented in September.

PSD2 will also Introduce AISP/PISP to Secure Transactions

An updated payment model including a Payment Initiation Service Provider (PISP)

An updated payment model including an Account Information Service Provider (AISP)

How PISPs and AISPs Will Change Existing Interaction Models Between Customers and Banks

Ecommerce Checkout Optimizat ion for Sof tware and SaaS Companies | 13

With all of these changes to online transactions and security, merchants and consumers must understand the impact of PSD2.

What is the Potential Impact of PSD2?

All ecommerce transactions where either the issued card or acquirer is in the EEA are required to incorporate SCA in their checkout process to meet PSD2 standards. Merchants and other players in the payments space are required to have 3DS2 implemented to meet SCA requirements effectively.

Once PSD2 is rolled out, the directive also means any merchant operating in Europe won’t be able to receive payments from customers and pay those funds to sellers/vendors without obtaining a payments license from a regulator and becoming a regulated business.

The most significant impact on merchants is to bring their transaction security up to scratch to be compliant with the new directive. The critical change for merchants under PSD2 is that if they act on behalf of both buyers and sellers, like most ecommerce platforms currently do, then merchants can only avoid becoming a licensed and regulated business if they do not possess or control any funds involved in a transaction.

If a merchant doesn’t want to become a regulated business or have the burden of transactions on their shoulders, their only solution is to look for a full-service ecommerce provider to take care of their transactions once PSD2 is in place.

Merchants need to remember that PSD2 will have different impacts on them than it will for consumers and issuers. While PSD2 aims to protect consumers, the consumer doesn’t have to do anything when the regulation comes into place. On the other hand, issuers and merchants must now become PSD2-SCA compliant by meeting all new regulations in their online business practices by September 14.

The Impact on Merchants

https://fastspring.com/global-payments/



With PSD2, payment initiation service providers will be able to initiate payments on behalf of consumers. Which is why PSD2 will bring consumers tremendous benefit around security and data protection when they make purchases online.

The most significant impact on consumers for PSD2 is transparency and security. Under PSD2, a consumer can authorize a fintech app, a social network, a bank, or their mobile phone operator to pay for a transaction directly from their bank account using secure payment providers. Under PSD2, an online transaction for a customer could look like this:

It simple terms, PSD2 will make purchasing easier for customers. Merchants will be able to offer more payment options to consumers beyond traditional payment services like Visa and MasterCard by creating more transparency. Payment service providers will also be able to offer customers additional services under PSD2, like offering them a choice on what bank accounts to charge a particular transaction to.

The Impact on Consumers


Is your business operating outside of the EEA?

Be prepared. No matter where your business is operating from, if you offer services or products to consumers in the EU, the PSD2 will affect your business. The PSD2 will be applied to any transactions that are considered “one-leg transactions,” when at least one party involved is based in the EU. Therefore, if your company is in North America but is selling to a customer in the EEA, or you’re in the EU selling to a customer in North America, you need to comply with the rules of the PSD2.

The PSD2 will affect all payment service providers active in the EEA, including:

Who is Affected?

Account information service providers (AISPs)

Payment initiation service providers (PISPs)

Traditional banks

Here’s what all that means for companies who do business in the EEA.

Any merchant or business who takes payments for services and products in the EEA will no longer be able to receive their payments in a traditional sense under PSD2.

If a non-EEA ecommerce store is selling to a consumer in the EEA, they are required to meet the requirements of the PSD2 to remain compliant. For example, any money that exchanges hands between a business and a consumer (if one of them is in the EEA) must now go through a regulated payments institution to make it more secure. If your business offers online products or services, PSD2 means you will no longer be able to handle the payment using a service that doesn’t have SCA in place.

Businesses Offering Products and Services in the EEA


This requirement is essential for businesses to understand. If they try and become compliant themselves without reaching out for help from a secure payment provider, the process can be time-consuming and complicated. However, non-compliance with PSD2 isn’t an option, and as the directive rolls out, so will its penalties and fines. So, it’s crucial to be compliant when the directive is implemented in September.

After September 14, any online transaction that takes place in the EEA, or on behalf of a customer with an EEA issuing bank, will be required to go through SCA.

This isn’t as cut and dry as physical locations of your customers, either. If a customer is purchasing your item while they are in Canada, for example, yet their card was issued in the EEA, SCA is required to authenticate the transaction.

The requirement is for online transactions between cardholders whose payment cards have been issued in the EEA and merchants who process payments in the EEA. If you don’t have SCA implemented by the September deadline, it’s likely the EEA card issuer will decline the transaction altogether, and you’ll lose the sale.

If your business is outside of the EEA, but you’re offering services or products to EEA consumers, it’s your responsibility to make sure your transactions are compliant. Implementing SCA will not only mean a customer’s transactions will be approved, but it will also protect against fraud and provide your customers with a better experience when they do business with you.

Any Payments Processed in the EEA are Affected



The number one way merchants can ensure they’re compliant with PSD2 is to implement 3DS2 into their online payment gateways.

The SCA requirement of PSD2 means any transaction taking place on your website needs to be secure. Beyond that, PSD2 required the transaction to be authenticated and to minimize the chances of it being fraudulent. 3DS2 ticks all the boxes of SCA by asking for two authentication factors from a consumer:

What Software Companies Need to Ensure Compliance

Knowledge Something you know

password, PIN

Possession Something you possess mobile phone, smart watch

Inherence Something you are

fingerprint, facial recognition


It’s these strict SCA requirements that merchants need to take note of. If merchants believe they can implement SCA on their own, it could come with substantial risks and costs. Merchants will need to build their own platforms to make sure payments taken on their websites are SCA secure, or they can pass the responsibility over to a regulated third-party provider to take care of transactions on their behalf.

Let’s break down what a software company will have to do if they wish to become compliant without using a third-party provider.

Firstly, they must implement a regulated payment provider to handle all of their transactions. Then, they must integrate a payment solution to take care of their subscription payments, have robust reporting capabilities in place, as well as a filing system to reconcile payments in the case of any fraudulent transactions, like false chargebacks.

Implementing all of these different accounts and integrations can be a complicated and costly headache for software companies.

The right ecommerce partner can help businesses handle all of the complicated processes and authentications required under PSD2.

Software companies can avoid all of the red tape and enlist the help of a payment provider to manage their transactions after the PSD2 is rolled out—without the hassle. For example, FastSpring is a PSD2 compliant ecommerce solution, which can handle payments and transactions on a company’s behalf without them having to change the way it’s currently doing business online.

The right ecommerce partner can help businesses handle all of the complicated processes and authentications required under PSD2 without worrying about whether or not their transactions will meet compliance. An integrated payment service provider can take care of every last PSD2 requirement.



PSD2 is new, and it’s still unclear exactly what penalties will be handed out to businesses who fail to comply. But one thing is for sure; there are detailed penalty structures in place ready to deal with businesses who fail to meet the required standards after the September 14 deadline.

The regulators in charge of PSD2 have stated the penalties for failing to comply with the directive will be dealt with on a case-by-case basis. It’s then that a decision will be made on whether a financial penalty will be imposed. The non-compliance penalty structure states that the principal purpose of imposing a financial penalty is to promote high standards of regulatory and market conduct to persons and companies who aren’t compliant with the directive.

The Penalties for Non-Compliance


The penalty structure states that if a business or individual fails to comply with PSD2, their penalty will be based on:

• The nature, seriousness, duration, frequency and impact of the compliance failure

• The behavior of the regulated person after the compliance failure has been identified

• The previous compliance history of the regulated person

• Action taken by another domestic or international competent authority under PSD2 in previous similar cases

• The extent to which there is uncertainty or complexity in the interpretation of a prohibition or requirement, where the issue has not been the subject of previous guidance or statements by us, another competent authority or the courts

If the level of non-compliance is severe enough to impose a financial penalty, the penalty itself will then be decided by:

• The benefit received as a result of the compliance failure

• A financial penalty reflecting the seriousness of the compliance failure

To avoid serious financial penalties, it’s crucial all businesses operating and selling within the EEA become compliant with PSD2 before September 14.


There are certain circumstances in the PSD2 where merchants won’t have to adhere to the strict needs of SCA.

Keep in mind that if you conduct any transactions outside of the cases which provide exemptions, it’s essential you become PSD2 compliant to avoid serious penalties. The full list of exemptions is set out in the Regulatory Technical Standards, but the ones that will affect most companies include:

Who is Exempt?

Online Payments Under €30 Single transactions that are less than €30, that amount to a maximum of €100 or five transactions, are exempt under the directive

Transaction Risk Analysis If a transaction is flagged as “low risk”, it will be exempt from SCA. However, certain requirements and conditions need to be met for a company to be exempt. These conditions depend on the payment provider’s or bank’s overall fraud rates for card payments not exceeding the following thresholds:

• 0.13% to exempt transactions below €100



Thresholds will be converted to local equivalent amounts where relevant. As a merchant, you can request a Transaction Risk Analysis (TRA) exemption to bypass SCA. However, when a payment cannot be qualified as low risk, it will be reverted to an SCA, so it’s crucial you have a system in place to deal with diverted payments if you go down this route.

https://europa.eu/rapid/press-release_MEMO-15-5793_en.htm


Corporate Payments Such as virtual cards or B2B cards. The transaction must be initiated by a business rather than a consumer.

Whitelisting Consumers can whitelist a merchant (effectively marking them as a safe transaction) so that all future transactions won’t require any additional security checks. However, it’s up to the consumer to do this, so it’s inadvisable to rely on whitelisting to become exempt from PSD2.

Recurring Payments That are made can be given an exemption from SCA. For this to happen, the recurring payment needs to be made to the same merchant for the same amount. The first transaction of the recurring payments will still be subjected to SCA, meaning subscription businesses still need to comply with PSD2 for the first transaction.


PSD2 is complicated, and if your business fails to comply, it could become very costly for your company. That’s why it’s crucial to make sure your business is ready for PSD2 before September 14:

The Benefits of Working with a Full-Service Partner


If you’re looking for a way to make sure your business is compliant, working with a full-service ecommerce partner can ensure all of the bases are covered when PSD2 is implemented. Without partnering with a full-service provider, your business is on the hook for adhering to the new regulations.

For example, by partnering with FastSpring to meet all the requirements of PSD2, you’ll also benefit from working with a Merchant of Record. This means FastSpring handles all the regulatory compliance and financial services needed for your business to successfully sell globally.

We also have our own 15-factor fraud detection algorithm to minimize fraudulent charges, and are globally compliant on other complex regulations apart from PSD2, like GDPR and PCI DSS.

To learn more about how FastSpring can help you become compliant with PSD2, SCA, and all other major ecommerce-related regulations, request a demo with an ecommerce specialist.

https://www.fastspring.com

https://fastspring.com/request-demo/

https://fastspring.com/blog/what-is-a-merchant-of-record-and-why-you-should-care/




“Payment Services Directive: frequently asked ... - europa.eu.” 12 Jan. 2018, https://europa.eu/rapid/press-release_MEMO-15-5793_en.pdf. Accessed 12 Sep. 2019.

“UK Finance Industry Guidance on Strong Customer ....” https://www.ukfinance.org.uk/guidance/uk-finance-industry-guidance-strong-customer-authentication-under-psd2. Accessed 12 Sep. 2019.

“Regulatory Technical Standards on strong customer ....” https://eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2;jsessionid=34A718F6F5F2229652EB5651E0DAAF59?p_p_id=169&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_169_recordId=1617704&_169_struts_action=%2Fdynamic_data_list_display%2Fview_record. Accessed 12 Sep. 2019.

“European Commission - PRESS RELEASES ... - europa.eu.” 12 Jan. 2018, https://europa.eu/rapid/press-release_MEMO-15-5793_en.htm. Accessed 12 Sep. 2019.

Sources

Your Full-Service Ecommerce Partner

Learn More

https://fastspring.com

http://www.fastspring.com


Documents

PSD2: The Ultimate Step-By-Step Guide to Compliance · The directive will allow ‘merchants’ like ecommerce stores to retrieve a customer’s account data from their bank, with