What is PSD2?
In 2009, the European Union’s (EU’s) first Payment Services Directive (PSD) was designed to regulate payment services and providers throughout the EU and European Economic Area (EEA). The aim was to increase pan-European competition, open up the payments industry to non-banks, and create a level playing field by harmonising consumer protection and the rights and obligations of payment providers and users. New behavioural changes have called for an update on PSD, called PSD2. This will have significant impact on the payment market for all Payment Service Providers (PSPs)and Merchants.
PSD2 implies 2 major changes for merchants:
- Increased innovation through Access to Accounts (XS2A).
- Enhanced security and reduced fraud through Strong Customer Authentication (SCA).
1. Access to Accounts (XS2A)
This is potentially one of the most transformative elements of PSD2. Previously, access to bank accounts was restricted to either the account issuer or unregulated providers using ‘screen scraping’ and consumer security credentials. Under PSD2, any regulated third party can now access a consumer’s bank account with the consumer’s consent. This gives merchants the opportunity to access data and the ability to initiate payments – banks are mandated to provide interfaces to support this access.
This change (also known as Open Banking in the UK) will lead to greater innovation in the payment industry, with new consumer experiences based on Account Information Service Provider (AISP) and Payment Initiation Service Provider (PISP) services. For example, consumers could see all their accounts in one place, or make online payments by bank transfer. Online payments by bank transfer are already very popular in the Netherlands with over 56% of payments made using this method compared with just 20% via card schemes1.
XS2A provides two opportunities for merchants; first, access to bank data will enable the development of data insight tools, allowing merchants to offer more personalised offers. And second, merchants will be able to offer new payment methods using PISP services with lower costs and chargeback risks.
2. Strong Customer Authentication (SCA)
From September 2019, all electronic payment transactions will need to be authenticated by at least two of three possible methods:
- Knowledge: something only the user knows, such as a password
- Possession: something only the user possesses, such as a token or mobile phone
- Inherence: something the user is, such as a biometric (e.g. fingerprint recognition)
Read more about SCA here