PSD2: What it means for Payment Service Providers (PSPs)

You may have seen our initial blog post on PSD2 and what it means for online merchants and their customers. Today we're diving deeper and explaining what the legislation means for Payment Service Providers (PSPs).

Under PSD2, fraud detection moves to the centre of a PSP value proposition. The legislation is changing how fraud operates for PSPs and it enables an increase in competition whilst also protecting the consumer - read more about this here.

So how will the payments ecosystem be affected going forward?

The connection between PSD2 and payment service providers

PSD2 is a legislation that aims to increase competition, innovation and transparency across the European payments market and to increase the security of digital payments and transactions.

The connection between PSD2 and PSPs lies in data-sharing - under PSD2, third parties will be able to initiate online payments directly from the payer’s bank account via an online portal. This brings new opportunities in convenience and cost for online businesses in how they accept payments.

The PSP market is rapidly growing with enhanced security prevention tools that are becoming available.

How are PSPs affected?

Once the final Regulatory Technical Standards (RTS) go live (expected Q4 2019), banks will be required to grant third-party providers access to a customer’s online account/payment services in a regulated and secure way. PSD2 introduces two new types of third party providers: Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).

The PSD2 definition of payment service provider applies to traditional banks and payment institutions, as well as third party providers (including newly regulated AISPs and PISPs) on both the acquiring and issuing side.

As PSPs act as the gateway that offer retailers and e-commerce sites services for accepting payments, they are responsible for providing the security and authorisation for payment transactions.

In this blog post, we mentioned that under new regulation, PSD2 will enable greater security measures and protect customer data with the application of giving access to third parties. Banks will ultimately hold the responsibility for protecting consumer data.

Until now, banks have held consumer data within their institutions, but with PSD2, consumers will be responsible of their own financial data and information.

Customers will be able to use payment account information services where their payment accounts are accessible online, making payments in the wider sense easier, and help customers to manage their accounts, data, and make better comparisons when purchasing.

Maintaining security and risk

Payments UK believes that the European Banking Authority (EBA) will draft up RTS customer authentication and secure communication. Except in defined circumstances, all PSPs will be required to use strong customer authentication when a payer:

• Accesses its payment account online
• Initiates an electronic payment transaction
• Carries out any action through a remote channel which may imply a risk of payment fraud or other abuses

Strong customer authentication

Strong customer authentication (SCA) becomes mandatory for all electronic payments under PSD2, although the provisions relating to SCA will only apply from 18 months after the date of entry into force of the regulatory technical standards (RTS), which is expected lin late 2019. SCA requires at least two of three categories of information for authentication:

• Knowledge - something the user knows, e.g., a password;
• Possession - something the user has, e.g., a mobile device;
• Inherence - something the user is, e.g., via a fingerprint.

At least one of the factors of authentication must be linked to the amount and payee. In the context of CNP transactions, the issuing bank must ensure SCA is offered for all cards, and the acquiring bank must ensure they support the issuing bank’s SCA process. It is unclear whether merchants will be able to bypass SCA via their acquiring PSP.

Room for greater innovation

Each organisation should be looking at their current technology capabilities, their customers, and how they as a payment service provider (PSP), can serve them better.

An article by KPMG states that PSD2 provides a “massive opportunity for banks to turn the regulation – and the broader shift towards open banking – into a competitive advantage.”

The article continues: “Banks could create their own Account Information Service Providers (AISPs) to provide their customers access to their other payment methods, all within one branded mobile app. Banks will eye up strategic partnerships with fintechs to use that data to identify trends and create new targeted customer propositions.”

Learn more about PSD2 and SCA here.