Tom Pugh is the Head of Client Services at Revive Management. Here he shares his insight into what PSD2 means for your payments?
Is 14th September 2019 in your business calendar?
If your organisation processes payments online then it should be – because that is the final deadline for complying with the Regulatory Technical Standard (RTS) of PSD2, the revised Payment Services Directive issued by the European Commission for innovation, improvement and internet payment safety.
Confused? Let’s take a closer look.
What does PSD2 aim to achieve?
PSD2 was initially adopted in 2015, and becomes applicable in January 2018. It is an updated version of the original directive aiming to create ‘an efficient market for payment services in Europe’. This updated version builds on the first directive most clearly in areas related to consumer rights, including complaints handling and surcharging, third-party access to account information and, crucially, enhanced security.
PSD2’s objectives include: making it easier and safer for shoppers (and businesses) to use internet payment services; delivering better consumers protection against fraud, abuse, and payment problems; promoting innovative mobile and internet payment services; and strengthening consumer rights. It also aims to strengthen the role of the European Banking Authority (EBA) to coordinate supervisory authorities and draft technical standards.
The RTS, that final piece of the directive which comes into force in September, specifies the final security measures which organisations are expected to deploy to be compliant with PSD2.
What does this mean for your businesses?
In practice, this means that organisations wishing to process payments online – remembering that this applies to businesses across a range of sectors including utilities, leisure, transport and other services, as well as ecommerce businesses – have until 14th September to implement security measures.
Specifically, they have until 14th September to implement strong customer authentication, or SCA, on all remote ecommerce transactions of €30 or more (some transactions under €30 will also require SCA under the cumulative rule). And this isn’t just a ‘nice to have’, or something you can catch up on a week or two later. As of 14th September, you will be technically unable to process payments without SCA. A hard stop is in place, policed by the major payment companies.
So if you want to be able to continue accepting payments online, continue selling your goods or services and continue maintaining good relationships with your customers, you need to implement SCA now.
What does SCA look like?
SCA delivers enhanced authentication for online payments. It requires customers to verify their identity through at least two of the following: a biometric factor; this is something they are such as a fingerprint, voice recognition or facial recognition software, a phone or other piece of hardware; this is something they have, or a PIN, password or security question; which is something that they know. Each of these methods of additional verification has its own advantages and disadvantages – and each introduces an additional stage for customers to go through when completing a payment, potentially increasing friction.
The role of Digital Wallets
One of the exceptions is if you process payments via a digital wallet solution, because the wallet essentially counts as a single method of identity verification in itself. In turn, this means that you as the business accepting payments only need to implement one additional method of identity verification for those payments. The use of digital wallets is forecast to increase drastically over the next few years – in China, for example over a third of transactions are already made using ewallets. Additionally, regular payments such as those for a subscription service or paying a bill on a regular basis may be fast tracked through to an approved customer list.
PSD2 is part of a more general shift to Open Banking, which allows authorised third parties to access customer information that was previously available only to banks. This enables businesses to offer their customers more innovative and user-friendly means of paying for goods or services rather than simply a credit or debit card and, in turn, prioritise their convenience. Provided you choose fully compliant third-party payment partners, PSD2 really is an opportunity to make your online payment processes more agile, more customer-centric and ultimately more secure.
The countdown is clearly on. With just four months to go until the PSD2 comes into final force, ensuring that your business is ready has to be a key priority. First, you need to check that all of the third parties involved in your online payments processes are fully PSD2 compliant. Next, you need to implement SCA processes if you have not already done so, bearing in mind that keeping customer friction to a minimum is key from an ecommerce and marketing perspective. Introducing digital wallet functionality could prove a hugely valuable step, given the huge forecasted increase in their popularity over the coming years.
PSD2 sounds complicated, but a few simple steps can ensure your house is in order well in advance of the deadline, and that you are ready to process online payments smoothly and securely from 15th September onwards.