What is revised payment services directive (PSD2)?
The countries of the European Union have developed PSD2 or also known as the revised Payment Services Directive (EU Directive 2015/2366). It enhanced the EU regulations which were put in place by the initial Payment Services Directive in 2007. PSD2 came into effect on 12 January 2016 with a deadline for the EU Member States to implement it as national law until 13 January 2018. The revised Payment Services Directive not only revolutionises the payments industry but also changes the way we make payments online, and what information we see when making a payment.
Main objectives of PSD2
The main aim of PSD2 is to support competition and innovation in the retail payments industry, enhance the security of online payment transactions and the protection of customer data by:
- Integrating, standardising, and improving payment efficiency in the European Union;
- Increasing protection from fraud and offering better customer data protection;
- Promoting innovation in payments and reducing payment processing costs;
- Providing clarity on the use of emerging payment methods such as mobile and alternative payments;
- Creating an equal competition environment for payment service providers regardless of their size – i.e. enabling new companies to get into the payments space;
- Harmonising pricing and improving the security of payment processing across the European Union;
- Incorporating new and emerging payment services into the regulation- e.g. payment account information and payment initiation services.
Regulatory Technical Standards
Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) is a non-direct part of PSD2. They lay down common and secure open standards of communication and guidelines on incident reporting and security measures for operational and security risks. These RTS were developed by the European Banking Authority (EBA) in cooperation with the European Central Bank (ECB). The Regulatory Technical Standards were published in the Official Journal of the European Union (OJEU) on 13 March 2018 and apply as of 14 September 2019. Although payment service providers are already legally required to provide their services in accordance with these standards related to security, the European Banking Authority (EBA) has established a transition period until 31 December 2020. It means that payment services providers can postpone the implementation of the RTS on Strong Customer Authentication without worrying about any fines from the side of the regulators.
However, all payment service providers are recommended to fulfil the requirements of the RTS as soon as possible. These requirements include:
- Implementation and use of Strong Customer Authentication (SCA) solutions;
- Implementation and use of transaction and device monitoring to identify unusual payment patterns;
- Provision of reliable and standardised access to payment accounts. The main aim is to reach an agreement on one API technical specification across Europe which will make it possible to identify and communicate with third-party payment service providers in a secure way.
Rules for third-party payment service providers
The revised Payment Services Directive (PSD2) uncovered the EU payments market to third-party payment service providers offering services based on access to information from payment accounts such as payment initiation services, account information services, issuance of card-based payment instruments. PSD2 requires all such service providers to be authorised and regulated.
Moreover, PSD2 defines rules for access to payment accounts for such third-party payment service providers. While EU Member States must guarantee that account servicing payment service providers (ASPSP’s) are not preventing or in any way limiting the use of payment initiation and account information services for the account they hold. ASPSP’s cannot restrict access to the account they hold unless the third-party payment service provider is unauthorised or is suspected of fraudulent activity.
Liability regime under PSD2
The revised Payment Services Directives (PSD2) defines issues between the bank holding the account and the payment initiation service provider (PISP). In the event of an unauthorised transaction initiated through payment initiation service provider (PISP), the account servicing payment service provider (ASPSP) must refund the payment service user. In such cases the PISP is liable for the unauthorised transaction, it must without further ado compensate the account servicing payment service provider (ASPSP).
Enhanced consumer protection under PSD2
Apart from introducing Strong Customer Authentication (SCA) rules, PSD2 defines and enhances overall consumer protection. In the case of unauthorised transactions due to misappropriation of payment instruments, the user is held not liable and must be refunded immediately. In other cases of lost or stolen payment instruments, the payment users have an eight weeks refund right and are held liable for a maximum of 50 EUR, considering that he or she has notified the payment service provider and did not act carelessly or fraudulently.
The surcharge ban under PSD2
The revised Payment Services Directive (PSD2) prevents merchants from charging additional fees when the consumer makes a debit, credit card payment, or direct debit or credit transfer. The surcharge ban itself applies only if the consumer’s bank, card issuer, and the payment service provider of the merchant are within the European Economic Area (EEA). Even if the surcharge ban does not apply, the amount of any additional fees charged cannot be higher than the cost incurred by the merchant in accepting the specified payment method.
How can PSP Lab help?
If you wish to learn more about revised Payment Services Directive (PSD2), implement and comply with the regulations within your business you can reach out to us today. At PSP Lab we know how to streamline the processes in order to remain compliant while easing the hassle and customer journey.