Few things have influenced digital transformation as much as the rise of global ecommerce and other forms of online payments. The need to initiate, accept, process, and protect card-not-present transactions from anywhere in the world at any time drove companies to create an infrastructure for digital payments. However, as with any platform or channel used to exchange sensitive data and other personal information, it soon became necessary to ensure security and fair practices.
This administrative gap led to the creation of today’s international compliance measures and industry standards that regulate digital payments. These regulations dictate how sensitive payment data should be handled and establish fines and other penalties for noncompliance. Many have been updated since their initial creation in the early 2000s, and they continue to evolve with the developing payments landscape.
The most influential regulation for credit card payments is the Payment Card Industry Data Security Standard (PCI DSS), which was created by the five major card brands—Visa, Mastercard, Discover, American Express, and JCB International—but it’s not the only one for the payments industry.
In the European Union, digital payments fall under the jurisdiction of the Payment Services Directive (PSD). In this post, we’re going to focus on European payments—specifically the European Economic Area (EEA)—so we’ll be covering the PSD2, the latest version of the law.
What is PSD2 in Simple Terms?
Originally adopted as PSD in 2007, the directive forms the legal foundation of the Single Euro Payments Area (SEPA). This initiative was designed to enable easier payments between the 74-member body of the European Payments Council and improve consumer protections for citizens of the EU member states. Its overall goal was to increase participation and, in turn, competition in the European payments industry by bringing payment service providers (PSPs) together under the same set of regulations and standards.
One of the key elements of the PSD was its intention to introduce fair rules and practices to the European payments industry. This was accomplished primarily through the idea of “maximum harmonization.” This concept was meant to consider the rights and obligations of PSPs along with the need for consumer protections, striking a balance between the two to create regulations that increased competition, protected users, accelerated the payments process, and clearly defined rights and appropriate procedures.
The regulation consists of two primary components: market rules and business conduct rules. The market rules defined which organizations were eligible to provide payment services and introduced the term payment institutions (PIs). They also stipulated which organizations could be considered which and how organizations should apply to be authorized PIs.
The business conduct rules established what information PSPs needed to provide in the event of a data request and detailed additional rights and obligations of PSPs and users. These details included guidelines for authorizing and executing transactions, in addition to delineating responsibilities and processes for refunds and revocations. Further, the PSD established a “competent authority” for each country to supervise payment institutions within its borders.
PSD was updated in 2009 and 2012, but those updates did not address the pressing issues of the regulation’s limited scope (it covered only transactions that occurred between EEA nations), vulnerabilities created by exemptions to the regulations, inconsistencies regarding fees and rebates, the regulation of third-party providers, debit refunds, or other concerns regarding security, access, and privacy.
Because of these lingering problems, PSD was revised and re-enacted as PSD2 in 2015. This updated version of the regulation improved security and modernized payments by better protecting consumers, promoting innovation via development of online/mobile payments and open banking, and making international payments safer.
PSD2 was further supplemented in 2017 with amendments regarding strong customer authentication (SCA) and common and secure communication (CSC) standards. These two measures were especially important in terms of protecting cardholder data and preventing payment fraud.
A Deeper Dive: What is PSD2’s Impact?
One of the primary focuses of PSD2 was to enable open banking within the EEA. Open banking is the concept of embracing forward-thinking financial practices such as using APIs to enable the integration of third-party applications and servers, adopting modern standards for data privacy, becoming open to the deployment of open-source technology, and pursuing other similar innovative practices.
In addition to encouraging open banking, the PSD2 included SCA requirements for verifying the legitimacy of electronic payments. PSD2 mandates the use of SCA each time a payment is created or a consumer accesses its payment account. SCA requires two or more security elements for verification: password, PIN, fingerprint, card authentication, or a unique authentication code. 3-D Secure (3DS2) is a commonly used security protocol for satisfying this requirement.
Another prominent component of the update is its requirement of CSC standards for authenticating communication between parties participating in the payments process. These standards require banks to establish secure communication channels to interact with third parties and provide them with access to sensitive payment data under PSD2.
What is PSD2's Effect on Me?
If your organization is based in the EEA and accepts ecommerce transactions or other digital payments from the EU, you likely are subject to PSD2. PSD2 empowers consumers and organizations to use a third-party provider to make payments and manage their finances. These third-party providers can be fintechs that augment services with apps, financial organizations, or standalone service providers. Traditional financial institutions have to provide open API access to third-party service providers, which fall into three categories:
- Account information service providers (AISPs) have access to sensitive data so they can analyze spending patterns to gain greater business intelligence.
- Payment initiation service providers (PISPs) are the service providers that initiate the payments on behalf of the consumers or organizations.
- Account servicing payment service providers (ASPSP) are the issuing banks of the consumers.
These entities will handle sensitive personal data sets for both individuals and organizations, such as payment card data, bank account information, first name, last name, taxpayer identification numbers, etc. Handling of personal data causes these organizations to fall under GDPR compliance requirements.
However, many exemptions to the directive exist, mainly for smaller payments or transactions that are considered low-risk. Examples of these exemptions include contactless transactions of less than €50, online transactions of less than €30, transactions deemed “low risk,” payments made by businesses, transactions from whitelisted merchants, recurring transactions, and other payments with a reduced opportunity for fraud.
What is PSD2's relationship with GDPR? Learn about the intersection of payments and privacy compliance in the European Union by downloading the ebook below.
What is PSD2's Compliance Process Like?
Ultimately, PSD2 compliance is satisfied by addressing the relevant obligations specific to an entity's role in the payments process. SCA requirements can be met by using approved methods for authentication, such as 3DS2, and requirements for secure communication can be met via Qualified Certificate for Website Authentication Proof (QWAC) and/or Qualified Certificate for Electronic Seals (QSealC) certificates.
The TokenEx Cloud Security Platform is compatible with each of these mechanisms and provides a complementary solution for achieving PCI compliance through tokenization of sensitive payment card data. Our Transparent Gateway enables simple integration with any third-party API and provides flexibility as ecommerce and digital payments continue to evolve.
Each of our payments solutions has been designed to seamlessly operate within our clients’ payment flow to reduce the risk of accepting and processing sensitive financial and personal data. To learn more about TokenEx or cloud-based tokenization, contact us at firstname.lastname@example.org.