What is PSD2?
The Revised Payment Services Directive (PSD2) is a set of laws and regulations for payment services in the European Union (EU) and the European Economic Area (EEA). It’s been around for a while - it was passed in 2015 - but the most important aspects for online payments come into effect on 14 September 2019.
Why is it necessary?
A lot has happened since PSD1 was passed in 2007. Apple have released 18 versions of the iPhone, scientists have cloned human cells... and Europe’s online payments have been rocked by market developments. Read more detail on the background here and read on for a summary of the major trends...
Increasing online payment fraud in Europe
The European Central Bank (ECB) recorded a 66% increase in card not present fraud (online payment fraud) between 2011-2016, which was the main reason behind why fraud overall increased by 35%. Online fraud now makes up 73% of fraud in Europe and this is steadily rising.
The rise of the API economy
Application Programming Interfaces (APIs) allow different systems to talk to each other. APIs are fundamental to the success of companies like Amazon, Google, Uber, Stripe, Braintree etc. and they’ve supported the creation of whole new business models, including fintechs. APIs will provide the means for banking and payments to become more open.
Unregulated new business models
Since PSD1 there has been growth and innovation in the digital payments market with a whole host of new fintech players. So far, these new business types have not been fully regulated and agreements have been somewhat ad-hoc. PSD2 will provide standards and structure and allow these new companies to access customer bank accounts.
The goals of PSD2
- Make the European payments market more integrated and efficient
- Improve the level playing field for payment service providers (including new players)
- Make payments safer and more secure
- Protect consumers from fraud
PSD2 is part of a wider legislation which has a whole range of implications for banks, payment providers, third party providers and consumers - more detail on far-reaching effects in this podcast. On this page we’ll focus on the changes to online payments and how they will affect online sellers and payment providers.
PSD2 aims to secure digital payments and expand the financial ecosystem
However - a number of countries in the EEA have released individual migration plans for SCA, including some which go beyond the current 31 December deadline (UK, France). See the latest updates on plans in Europe in our interactive map.
Key changes for online sellers and payment providers
Strong customer authentication
Most online payments in the EEA will require strong customer authentication. This means two-factor authentication which meets the European Banking Authority (EBA) requirements - we’ll come back to this later.
Payment provider licensing
Any company providing payment services in the EU will require a payment license and be authorised and registered by the EBA.
Opens bank data to third parties
Opening up of bank data to make room for new players, including two new kinds of third party providers (TPPs):
How and where will SCA have an impact?
Under PSD2, strong customer authentication is required on all payer-initiated transactions when both the card issuer and acquirer are within the EEA. If only one of the two is within the EEA, SCA is not required - so a business based in the US with a US bank would not be required to enforce strong authentication. This type of transaction is called 'one leg out'.
Map of global payment flows
PSD2 covers payment providers in all the EEA countries, so it will affect over 300 million ecommerce shoppers. It will be implemented in the UK despite Brexit as it was passed into law before the withdrawal.
This PSD2 requirement for strong customer authentication is likely to cause huge waves - when India implemented mandatory 3D Secure in 2014, some businesses reported a 25% drop in sales overnight due to the extra step in payments.
Similarly to the General Data Protection Regulation (GDPR), PSD2 will impact a business outside the EU if it provides payment services in the EEA, and it will need to have a payment license.
Strong customer authentication will only be required for payments when both the cardholder and merchant bank are within the EEA… but this will still have indirect consequences for non-EEA payments, here’s why…
What are the consequences for non-compliance?
Burying your head in the sand is not going to work. Payment providers and banks are legally required to enforce PSD2. Online businesses who don’t fulfil the SCA requirements will start seeing their decline rates going up and conversion rate falling as customer banks reject non-authenticated payments.
Non-compliance puts both sellers and payment providers at risk of losing transaction volume. But for payment providers, non-compliance carries more serious consequences. National regulators have the power to impose fines and even revoke a payment provider’s license. Unlike GDPR, there are no fines specified, and as different members of the EEA are at different stages of implementation, the fine amounts may also vary.
Strong customer authentication explained
Strong customer authentication demands multi-factor authentication on all payer-initiated payments including at least two of the below methods.
Something you know
e.g. pin or password
Something you have
e.g. phone or device
Something you are
e.g. facial scan or fingerprint
Exemptions to strong customer authentication
When the EBA first floated the idea of strong customer authentication, they received a barrage of objections from the payments industry - remember this change in India in 2014 cost some businesses a quarter of their sales. Thankfully, the EBA consultation group worked through the feedback and outlined some exemptions to the strong customer authentication rule.
An online seller can’t apply for these exemptions itself, but a payment provider can apply on its behalf.
It’s important to remember that the cardholder’s bank has the final say on whether to grant or reject an exemption request.
The key exemptions to strong customer authentication are:
A customer can whitelist their chosen online sellers as safe so they don’t have to authenticate each time they buy something. This has potential work well - but it relies on the customer taking action, so online sellers will need to work hard on communications for this to take off.
If a customer signs up to a subscription or recurring billing for exactly the same amount with the same online seller, they will only need to authenticate the first time they pay. This is a great exemption for sellers like Netflix, but it won’t cover repeat payments if the amounts differ (eg. a weekly online grocery shop) or if the value changes (eg. if Netflix increases their prices).
Low-value payments under €30
This exemption allows payment providers to avoid applying strong customer authentication for online payments under €30 up to a certain cumulative limit. The customer’s bank has the choice to either request strong customer authentication on every sixth payment under €30 or request strong customer authentication if the combined value of several payments goes above €100.
Although it may look attractive on the surface, this exemption is tricky for online sellers and payment providers. The cardholder’s bank decides which cumulative limit to use, so it’s hard to know whether the bank will choose to limit the number of transactions or total value.
For example, a customer could make five payments of €10 and be challenged on the sixth, or make up to 10 payments of €10 before they need to authenticate.
This exemption also doesn’t help online sellers with an average order value above €30.
This is likely to be the most commonly used exemption.
If a payment provider has low fraud rates within the prescribed PSD2 fraud limits, then it will be able to use real-time transaction risk analysis to apply for exemptions on behalf of its sellers for all low-risk payments up to €500. There are no low-risk exemptions for transactions over €500.
Real-time risk analysis technique
The EBA published Regulatory Technical Standards (RTS), which specify what payment providers’ need to take into account through real-time risk analysis. This covers:
- Previous spending patterns of the customer
- Payment history for all customers
- Location of the payer and the payee and if these are high-risk or abnormal
- Unusual payment patterns, spending or behavior of the customer
- Unusual information about the customer’s device/software access
- Malware infection in any session of the authentication procedure
- Known fraud scenarios
The EBA states that these factors must be combined and translated into a risk score for each payment, to determine whether a specific payment should be allowed without strong customer authentication.
Fraud rate limits for payment providers
Under PSD2, payment providers in the EEA will need to provide evidence of their transaction fraud rates to their national regulator every 90 days.
|Fraud transaction rate must be below||To apply for exemptions on payments up to|
So a payment provider with a fraud rate of:
- Between 0.13% and 0.06% can exempt all low-risk payments under €100
- Between 0.06% and 0.01% can exempt all low-risk payments under €250
- Below 0.01% can exempt all low-risk payments under €500 (this will be very rare)
If a payment provider uses an exemption, they will be liable for the payment in case of fraud
Using an exemption shifts the liability for fraud on to the payment provider, which is why it’s so important for payment providers to invest wisely in fraud protection.
Online sellers with a low fraud rate can choose to do the risk analysis
An online seller can contractually agree with its payment provider to take the risk of using this exemption and rely on its own risk management systems.
This means online sellers who have invested in fraud protection will have the upper hand when negotiating with payment providers who will be looking to keep their fraud rate low and share liability for fraud.
Online sellers with low fraud rates will be in high demand from payment providers
The online seller’s wish list for payment providers under PSD2
Likewise, payment providers who have low fraud rates and can maximize the chance of payments being accepted will be top of the wish list for online sellers.
Low fraud rates
Low fraud rates across all online sellers allows payment providers to request SCA exemptions
High acceptance rates
Online sellers want to minimise friction and avoid SCA for their genuine customers
Guidance and support
Online sellers will look to payment providers for PSD2 expertise and help to manage the changes ahead
Although some leading online businesses have started preparing for the impact of PSD2, these are more likely to be larger companies with dedicated teams and resources. A recent survey from Mastercard found that 75% of online merchants in Europe are potentially unaware of the new standards coming in September and that 32% of merchants would rather hear about this from their payment provider than via the bank.
of online sellers in the EU are unaware of SCA requirements
of EU banks missed the original PSD2 deadline
of online sellers in the EU will miss the September SCA deadline
The importance of issuer intelligence
A payment provider has the advantage of processing much higher numbers of transactions than any one of their online sellers. This means it has far more information on how different issuing banks react to exemption requests and which versions of 3D Secure are supported by each bank.
At Ravelin, we collect this information across every transaction - we call it issuer intelligence. This helps us to determine the best path to payment acceptance on each transaction, based on the bank’s past behaviour and payment risk level. Learn more about how we use the data on banks, customers and transactions in this webinar.
More complexity for customers = fewer successful transactions
Adding any extra steps into the checkout carries the risk of customers forgetting their passwords, abandoning their purchase or changing their mind. Online sellers will attempt to use strong customer authentication as little as possible, but they won’t be able to avoid it completely. If a payment doesn’t qualify for an exemption, or if the customer bank doesn’t grant an exemption, then the customer will have to authenticate the payment through 3D Secure.
Strong customer authentication with 3D Secure
3D Secure (3DS) is an additional layer of security for online credit and debit card payments - the most well-known examples being Verified by Visa, Mastercard SecureCode and American Express SafeKey. At the final stage of checkout it asks the buyer for a password so the bank can authorise the payment.
If 3D Secure is used to authenticate a payment, the payment is seen as secure and the customer’s bank is liable for any fraud. Although this makes it a powerful tool for online sellers wishing to avoid losses from fraud, so far most sellers only use 3D Secure for the most risky transactions as it seriously damages conversion - we’ll explain just how much a bit later.
Problems with 3D Secure 1
Clunky user interface
3D Secure is a massive source of frustration for customers, with many people telling companies they are losing their business over it. On the far end of the scale, the jarring interface means 3DS looks suspicious and can make customers feel less secure when paying online - leading them to quit checkout.
Rarely used, rarely remembered passwords
Because most online sellers are only using 3DS for the most risky transactions, customers are only being asked for their passcode once every so often. Customers often forget their passcode and can’t authenticate the payment. Resetting the password is often tiresome and long winded - 26% of customers abandon transactions due to a complicated checkout process.
How much does 3DS really impact online payments?
3D Secure acceptance rate is 78%
22% of payments are lost through 3DS
We looked at millions of payments in Q1 2019 and found that 22% of payments sent to 3DS are lost - further analysis revealed:
- 3DS authentication took an average of 37 seconds
- 91% of payments cause friction taking over 5 seconds to authenticate
- Acceptance rates of the top 20 global banks by volume range from 68-92%
See the full results from all global payments in an infographic here.
How 3D Secure 2 is different
More data, less friction
3DS 2 enables payment providers to send much more risk analysis data to the customer’s bank, so that they can use this to recognise the customer and avoid strong customer authentication.
More ways to authenticate
In line with strong customer authentication requirements, 3DS 2 offers more flexible ways to authenticate that suit the customer, such as facial scanning and one time passwords. Again, this is still dependent on whether the cardholder’s bank offers it.
Better user experience
The seller can customize the challenge page, and 3D Secure 2 will be mobile optimised with iOS and Android software development kits for native payment options, rather than janky iframes, pop-ups or redirects.
Early warning signs of 3D Secure 2
Although 3D Secure 2 looks like it will be a big improvement on earlier versions, there are some signs that it may still cause problems. 3DS 2 will be heavily dependent on mobile phone methods of authentication for many payments, which will still cause issues for a customer not carrying their phone or in areas with low signal.
Our analysis on 3DS payments found that even banks with 3DS 2 level authentication, such as app-based authentication and one-time passwords, still lost 19% of payments.
“Improved 3DS 2 user experience alone is not enough to maximise acceptance. The huge differences between banks highlights that online businesses will need to get smart about how they manage low-risk exemptions”
This is why it’s important for online sellers and payment providers to prepare for PSD2, even those outside of Europe. Leading companies will have a strong fraud toolkit with a strategy for maximising the use of exemptions to give genuine customers a smooth journey. Visit this page to learn more about how Ravelin Accept delivers on strong customer authentication requirements.