PSD2 follows on from the First Payment Services Directive (PSD1) adopted in 2007.
Introduced to make payments more secure within the European Union and to encourage historic market players to adapt to technological developments, PSD2 encourages innovation in the banking sector.
It is also designed to reduce the risk of fraud and thus make financial transactions more secure.
The First Payment Services Directive was introduced in 2009. Also known as PSD1, it was signed by all members of the European Union.
“The main goals of PSD2 were to provide better protection for payers and generate competitive stimulus for the banking sector.”
As a result of this directive, Internet payments have become easier, in particular with the introduction of the SEPA standard.
PSD1 has thus given more choice in selecting service providers, more information and a guarantee that our payments are secure.
Since 2009, adjustments have been made in line with market trends and risks.
PSD2 is the Second Payment Services Directive.
Passed by the European Parliament in 2015 and in force since September 2019, it has led to many changes in the payments sector.
PSD2, the cornerstone of payments innovation
PSD2 introduced the concept of “Payment Initiation Services” (PIS) and “Account Information Services” (AIS).
Payment Initiation Services (PIS) enable third-party service providers to initiate payments from a customer’s bank account, with the customer’s consent.
This new concept facilitates usage and the customer experience, and broadens competition in the payments sector, which was previously the preserve of traditional players.
PSD2 payment initiation also reduces the risk of fraud even further, giving consumers greater peace of mind when making transactions.
Account Information Services (AIS) allow the new players to access customers’ banking data with their consent.
These new services have made it possible to promote solutions such as account aggregation and personal finance management.
PSD2, a means for strong authentication
To improve the security of online transactions, PSD2 introduced the requirement for Strong Customer Authentication (SCA) for electronic payments.
“Before PSD2, payment security was ensured by receiving an SMS containing a code to secure the transaction.”
This mechanism was introduced in 2009 by PSD1 to reassure consumers.
Deemed insufficient given the increasing risk of bank fraud in recent years, PSD2 has changed the authentication conditions.
Effectively, it adds an extra layer of identification to this SMS, which was already very reassuring when it was first created.
Known as SCA or Strong Customer Authentication, this added identification can take various forms.
It requires use of two out of the three authentication methods available, to comply with the European directive and thus be truly effective.
These are the three strong authentication methods:
- First method: Use of personal data
Taking the form of a code, a password or the answer to a personal question, the identity of the person using a given payment method is verified.
Questions might include “What is your mother’s maiden name?” or “The name of your first teacher”, for example.
- Second method: Use of a personal electronic device
To protect a payment and reduce the risk of fraud, another authentication method is to use a personal electronic device such as a computer, tablet, smartphone or a peripheral such as a USB stick.
As the device belongs to a party to the transaction, there is less chance of it being used by a fraudulent third party.
- Third method: Use of a fingerprint
New technologies have led to the emergence of identification by biometric recognition or a unique body signature.
Each individual has a unique fingerprint, face, voice and eyes.
A scan of the area in question can thus be used for strong authentication.
Often used for online payments, this two factor authentication is intended to provide additional security.
PSD2, a protective shield for customers
The directive prohibits different processing fees for credit card and debit card payments, thereby helping to reduce costs for merchants and consumers.
As a result, competition between the different bank card payment methods has become fairer, ensuring a level playing field for the various stakeholders.
“In addition, PSD2 lays down clear rules on liability in the event of fraud.”
In the event of transaction fraud, liability is shared between the bank and the customer, depending on the due diligence exercised by each party.
In case of non-compliance, a complaint can be made.
The time taken to respond to PSD2 issues by the Commission and the European Central Bank is two weeks on average and can be as long as 35 working days.
Refunds will be normally be made the following day, but this may be later in special cases.
Fraud reported in writing directly to the Banque de France, drafted by a service provider, can prolong processing times.
PSD2: what impact on the payments ecosystem?
Since PSD2 came into force, the payments industry has seen major advances, encouraging the emergence of new players with innovation still predominating, while increasing security for end customers.
- Emergence of new players
PSD2 has opened the door to a new generation of financial players, such as FinTechs and external players known as TPPs (Third Party Providers), who can offer innovative payment solutions without having to be directly affiliated to traditional banking institutions.
The historic players have been obliged to open up their data to accredited third parties via specific Application Programming Interfaces (APIs).
To take advantage of this innovative regulatory environment, many companies have been launched or have expanded to manage all or some of the existing banking services, some of them specialising in payments.
- Innovation in payment solutions
The directive has stimulated innovation in payment solutions, encouraging the development of mobile payment services, e-wallets and other alternative payment methods.
“Innovation is also about changing business models because, due to PSD2, collaboration between traditional financial institutions and new players has been strengthened.”
Several banks have acquired or partnered with fintechs or institutions with a specific innovation in the payments sector in order to benefit from their advanced technological solutions.
- Consumer protection
PSD2 has strengthened consumer protection by imposing stricter security standards and improving transaction transparency.
“90 days after the customer’s first authentication, a new authentication is requested on the various platforms or account aggregators.”
In fact, the Second Payment Services Directive imposes a legal framework on payment initiators. If this data is retained, the French Prudential Supervision and Resolution Authority (ACPR), part of the Banque de France, may impose penalties.
- PSD2: what comes next?
The introduction of PSD2 marked a significant turning point both for financial services and, if you are a merchant with payment-related issues to manage, for the solutions now available on the market.
Greater security in terms of data exchange, less fraud, more competition with new players and a more harmonious European banking system are all now possible as a result of PSD2.
This is the case in France, but also throughout Europe in the SEPA area, as the rules are common to all these countries.
PSD2 has enabled new payment solutions to emerge and new players to enter the market, while strengthening consumer protection and improving the security of online transactions.
Today, the effects of PSD2 are being felt not only in the financial sector, but also in the daily lives of consumers and merchants, who are benefiting from more modern payment options and more secure processes.As we await introduction of its new version, PSD3, there is no doubt that new changes are in store, with opportunities to (re)discover new solutions that are even more innovative, robust and secure.
