PSD2 Compliance: A Guide to the (Not So) New Payment Services Directive
The Revised Payment Service Directive, also known as the second Payment Service Directive or PSD2 for short, is a regulation rolled out by the European Union. It is intended to protect consumers by making card-not-present (CNP) payments safer and more secure through Strong Customer Authentication (SCA) and to create a more integrated European payment market with a leveled playing field for both old and new payment service providers.
Watch our video series to learn more about maximizing approval rates while remaining compliant with PSD2:
Video Series: (Almost) Everything you Need to Know About PSD2 in Under 10 Minutes
Strong Customer Authentication (SCA) is a PSD2 requirement
The regulation mandates that all electronic transactions be authenticated using multi-factor authentication (MFA). The “factors” used to verify identity are: something you know (like a password or a PIN); something you are (biometrics, such as a fingerprint); and something you have (device ID or card). The most common method of multi-factor authentication is 3DS2, which requires two of the three factors and as such is also known as two-factor authentication, or 2FA.
Card networks within the EU, such as Visa and Mastercard, rely on the 3DS protocol for SCA, and are planning to stop supporting the earlier 3DS1 in favor of the new (and improved) 3DS2 by October 2022.
The original Payment Service Directive (PSD) was introduced in 2007 with the aim of creating a single, unified payment market within the EU to increase efficiency, innovation, and competition. In 2015, the EU amended the directive to account for new types of payment services and providers that were at the time unregulated, and to update rules and definitions that caused legal uncertainty or were applied differently by the various member states within the European Economic Area (EEA).
- EEA – European Economic area. Includes the EU member states plus Iceland, Liechtenstein, and Norway. Switzerland is not a member of either the EU or the EEA.
- EBA – European Banking Authority. The regulatory agency of the European Union that administrates PSD2.
PSD2 was rolled out gradually in 2018, with the national regulators in different countries publishing schedules that spanned multiple months and enforcement stages to allow the market to adjust to the changes. Full enforcement was set for September 2019, but extended until December 31, 2020, with two exceptions (France and the UK).
Which transactions fall under PSD2?
PSD2 applies to transactions where both the issuer and the acquirer are located within the EEA. The physical location of the cardholder and the merchant is not a consideration of the PSD2 regulation.
- Payment Service Provider (PSP): In the context of PSD2, the customer’s PSP refers to the issuing bank, while the merchant’s PSP refers to the acquiring bank.
- Two-legged transaction: payment transactions where both the issuer and the acquirer are located within the EEA. Any “one-leg-out” transaction is out of scope.
- Out-of-scope transactions: transactions not covered by PSD2. The Issuer will not apply SCA and shoppers will not be presented with an authentication challenge, unless the merchant specifically asks for 3DS in their payment request. This includes:
- One-legged transactions: where either the issuer or the acquirer are located outside the EEA.
- MIT: merchant-initiated transaction, A transaction, or a series of transactions, governed by an agreement between the cardholder and the merchant – for example, subscription services. Based on this agreement, only the first transaction in an MIT series requires successful authentication. Each subsequent payment can be initiated by the merchant without any direct involvement from the cardholder.
- MOTO: mail order/telephone order. A CNP transaction is where the shopper provides the merchant with their order and payment details by regular mail (not email), fax, or telephone.
- Anonymous transactions: customers do not need to complete SCA when an anonymous payment method is used, e.g., a gift card.
Exemptions under PSD2
SCA increases protection against fraud but also adds friction to the payment process. The regulation therefore also defines criteria for scenarios that are within the scope of PSD2 but can be exempted from the SCA requirement while remaining compliant. These include low-value transactions, low-risk transactions, and transactions with pre-approved merchants and corporate payments. It is the issuer who decides whether to grant the exemption or not.
- Transaction Risk Analysis (TRA): Real-time risk analysis of the transaction that takes into account specific risk factors and provides a risk score, thus enabling the PSP to assess the risk level of the transaction. When a transaction is deemed low-risk, merchants can ask to process it with no additional verification steps, reducing friction. This is known as a TRA exemption.
- Trusted beneficiary exemption: Following a strong authentication payment session, customers will have the ability to pre-approve beneficiaries, for example, the merchants they trust, allowing issuers to exempt future transactions between this cardholder and merchant from SCA. This exemption, sometimes referred to as whitelisting, is only available for 3DS 2.2, which is the 3DS2 version mainly used in Europe, and depends on whether the issuer supports it.
- Low-value transactions: Transactions under €30 generally do not require SCA, except in specific circumstances:. If a customer conducts five unchallenged consecutive transactions with the same card, or if the total transaction sum exceeds €100, the issuer will require SCA.
- Secure corporate payments: This exemption can be applied for all non-personal transactions from secure corporate environments, if executed with eligible cards.
PSD2 compliance
PSD2 requires compliance from all actors in the payment ecosystem. However, the local issuing banks are the de facto enforcers of the regulation, due to their oversight of the entire authorization process. According to PSD2, issuers are obligated to check if a transaction has been through SCA, and have the authority to decline an authorization request for transactions that did not first go through SCA.
Soft declines
To prevent mass payment declines and major revenue losses, a new type of decline has been added with 3DS2. When the issuer receives an authorization request without an SCA flag, they can return a unique decline code indicating SCA is required. This decline code does not terminate the payment attempt, allowing the merchant to recover the transaction by routing it to SCA.
PSD2 blind spots
While PSD2 offers certain benefits to merchants, it is not without its challenges. These include:
- Friction: SCA is often accompanied by a drop in conversion rates as consumers abandon their carts after encountering an additional authentication step during checkout. Consumers who are not used to SCA can become confused or uncomfortable by the request for additional personal information, with attitudes towards certain authentication measures such as biometrics changing considerably from market to market. Friction throughout the payment flow can cause frustration, or even cause shoppers to think something has gone wrong with the transaction, prompting them to terminate it.
- Fraud: SCA will likely reduce fraud for intra-EU transactions, but it’s not fraud-proof – in fact, it’s not even an anti-fraud solution, but rather a security protocol. Also referred to as a cryptographic protocol, it is an added layer of security in which legitimate participants exchange encrypted information according to a predefined procedure. It is not a fraud analysis tool, meaning that if a fraudster takes over a device or successfully phishes for personal information, it can be bypassed. An anti-fraud solution, on the other hand, is a tool that actively detects and prevents fraudulent activity within digital channels.
Furthermore, as previously stated, there are transactions that do not fall within the scope of PSD2, and with the regulation complicating things, fraudsters may well increase focus on channels such as MOTO.
- Market fragmentation and unreadiness: Merchants depend on the enforcement and technological capabilities of issuers for their customer experience and bottom-line revenue. Unequal market rollout can result in an inconsistent authentication experience during checkout for both merchants and consumers – for example, when one issuer has upgraded to 3DS 2.2, which enables trusted beneficiaries, while another has not
- Bank authorization rates: Another challenge is the maturation level of the authentication platform used, i.e., the performance of the authentication risk decision engine. Before PSD2, only high-risk transactions were sent for authentication. After the enforcement deadline, when the majority of transactions are sent to 3DS, only the lowest-risk payments are excluded. This essentially changes the population of orders that undergo authentication risk analysis, which could potentially make issuers overly cautious, resulting in more false-positive declines. Another thing that could limit their risk appetite is the significantly larger volume of orders they would be liable for
- Conversion rates: Conversion rates have taken a hit under PSD2, resulting in lower revenues for merchants. The key reasons for this are:
- Unnecessary friction leading to cart abandonment
- High decline rates from banks due to transactions being categorized as high-risk
- More declines resulting in a higher overall fraud rate for merchants, which could lead to increased scrutiny from banks
These can be combated by making efficient use of exemptions, and partnering with a fraud solution vendor to make sure only the safest orders proceed to authorization.
3-D Secure, or 3DS, is a strong customer authentication protocol activated during a card-not-present (CNP) checkout process to confirm the cardholders’ identity prior to authorization. It is an extra layer of protection designed to reduce the risk of online fraud. Merchants all over the world use 3DS as a component of their eCommerce fraud prevention program.
"The devil is in the details" is often said when a hidden element threatens a plan’s overall feasibility. In the context of Europe’s PSD2 Secure Customer Authentication (SCA) requirements, the devil is in 3D Secure metrics.
Global online retail sales are expected to surpass the $7 trillion mark by 2025, according to eMarketer. So that’s the good news. However, the bad news is that this notable growth in sales will inevitably lead to a rise in eCommerce Fraud. In this blog, I will discuss top prevention strategies of ecommerce fraud.