PSD2 (Payment Service Providers Directive) is a European regulation that was established to make electronic payments easy and secure.
Administered by the European Commission, PSD2 aims to drive financial institutions to innovate and modernize the payments market across the European finance industry while improving the overall banking experience and security for consumers.
Back in 2007, when the open banking concept gained recognition in the financial market, the European Union (EU) introduced the PSD regulation to create a single payment market for the entire European Union (EU). Once PSD was introduced, many new service providers emerged into the field, engaging with small businesses and consumers to capitalize on the opportunity.
As more banks embraced open banking and the number of payment service providers increased, the EU revised the PSD regulation with a few amendments in 2013, resulting in the current PSD2. The revised directive sought to bridge a connection between existing banks, retailers, and the new fintech entrants to, in turn:
Although PSD2 was created in 2013, it did not fully go into effect immediately. Due to debates and long delays in publishing technical standards, PSD2 was gradually implemented starting in January 2018. However, PSD2 did not officially go into full effect to govern e-commerce in Europe until December 2020.
At its core, PSD2 focuses on two key areas:
To transform the payments market, PSD2 introduced two new regulated services: Payment Initiation Services (PIS) and Account Information Services (AIS). Together, these services help create an easy and secure means for making online payments.
1. Payment Initiation Services (PIS)
Payment Initiation Services (PIS) allow consumers to authorize a third-party payment provider (TPP) to make payments online by filling in the required account information on behalf of the consumer. This provides consumers the flexibility of making online payments without having to visit a specific bank application. It also presents consumers with multiple payment options.
2. Account Information Services (AIS)
Account Information Services (AIS) involve aggregating and storing account information from customers’ multiple bank accounts at a central location. Account Information Service Providers (AISPs) are TPPs that collect customer bank data by accessing their accounts. Through AISPs, consumers can get a holistic view of their account information across different accounts in a single application, which helps them gain better control over their finances. Customers can also choose to make their payments either directly from their bank accounts or from other secure sources. This helps avoid paying the surcharges associated with card-based transactions.
To facilitate the above two services, the PSD2 regulation demands banks to open their payment services to third-party payment providers via Application Programming Interfaces (APIs) and provide account information. The APIs are open to any TPP recognized by PSD2 based on specific security requirements. PSD2 recognizes and regulates these TPPs to access banking data and initiate payment services.
Another major objective of PSD2 is improving the security of online payments and protecting consumer information from fraud. To achieve this goal, the European Banking Authority (EBA) developed the Regulatory Technical Standards (RTS) that specify requirements around two key areas for payment service providers and banks to become PSD2 compliant:
Strong Customer Authentication (SCA) is one of the notable measures of PSD2. SCA is designed to serve as a reliable and effective authentication tool to secure online payments and protect consumers’ financial data from theft. According to SCA, all payment processors and digital banking providers must use multi-factor authentication (MFA), essentially two-factor authentication (2FA), for initiating payments and accessing accounts. As a result of SCA, customers must verify their identities and provide consent using a combination of authentication mechanisms like PINs, biometrics, and text messages before making payments. Implementing MFA provides an additional layer of security for financial transactions and helps prevent payment fraud.
To comply with Strong Customer Authentication (SCA), payment service providers must authenticate consumers based on at least two independent pieces of information. These pieces of information fall into three categories:
SCA applies to most online transactions. However, there are exemptions to SCA, which depend on the level of risk involved in the payment service provided. The exemptions were added to make low-risk transactions fast and frictionless for a better customer experience.
Some of the common SCA exemptions include:
Another pivotal element of SCA is dynamic linking, which involves using pre-generated authentication tokens for specific payment amounts and payees. These tokens cannot be modified or reused, otherwise the transaction gets canceled.
Common and Secure Communication standards, also referred to as CSC, are a set of standards specified by RTS to ensure that the communication between banks and regulated third-party providers (TPPs) is confidential and secured. To meet this goal, banks must develop a secure communication channel that allows TPPs to access consumer account information and initiate payments securely. Additionally, these communication channels enable banks and TPPs to verify each others’ identities when accessing information. With the implementation of CSC standards, TPPs can no longer access customer data through “screen scraping,” an act of copying information displayed on a screen.
Financial institutions typically use digital certificates for online authentication and secure communication. Considering the sensitivity of banking transactions, Common and Secure Communication (CSC) standards mandate using only eIDAS (electronic identification, authentication, and trust services) certificates issued by a Qualified Trust Service Provider (QTSP) for authenticity and data integrity.
CSC recommends using both of the following certificates in parallel for secure communication:
2A. Qualified Certificate for Website Authentication (QWAC)
A Qualified Website Authentication Certificate (QWAC) is a type of digital certificate used with Transport Layer Security (TLS) protocol issued by a Qualified Trust Service Provider (QTSP) to meet the eIDAS, or the Electronic Identification and Trust Services regulation. Simply put, QWACs are used for website authentication and to protect data in peer-to-peer communication. In order to ensure the highest level of trust and assurance, QWACs are issued after extensive and stringent identity verification checks.
QWACs are used by payment service providers and banks to:
2B. Qualified Certificate for Electronic Seals (QSealC)
A Qualified Certificate for Electronic Seals (QSealC) is a type of digital certificate used to ensure the authenticity and integrity of sensitive electronic documents and data. A QSealC is used to apply an e-seal (essentially a digital signature) using standards such as ETSI’s PAdES, CAdES or XAdES. The e-seal confirms the integrity of a document, by verifying the source and protecting its contents from tampering.
QSealCs are used by payment service providers and banks to:
Following are a few significant changes that PSD2 brought to the earlier version:
PSD2 applies to all consumers within the EU member nations. While the regulation is primarily aimed at EU banks and financial service providers, companies outside the EU must comply with PSD2 when transacting in the EU. For example, US-based companies must ensure that their EU business units are PSD2 compliant. PSD2 also applies to the UK, regardless of its affiliation with the EU.
|Benefits of PSD2 for Consumers||Benefits of PSD2 for Payment Service Providers|
|Improved payment experience||Better customer engagement|
|Higher transaction security||Low risk of payment fraud|
|Confidentiality of account information||Access to rich consumer data for risk assessment and creating new revenue streams|
|Wide range of payment options||Fair market competition|
The objective of PSD2 was to develop an integrated standards-based payments market, provide a level playing field for new players, and improve the customer banking experience. It plays a significant role in the banking revolution the EU is experiencing. By complying with PSD2, financial institutions can benefit from attractive growth opportunities that online banking brings, while customers can enjoy a convenient and secure banking experience.