Getting Up to Speed on PSD2 Regulation

Europe's Payment Services Directive II (PSD2) is now a reality, though many of the details are still to be determined.

If you're a merchant with operations in the European Economic Area (EEA), you may have heard rumblings about Payment Services Directive II (PSD2) -- new regulations aimed at updating EEA payment standards for the digital age, enhancing payments security, and leveling the playing field for alternative payment providers.

PSD2 will have broader geographic reach than previous regulations. All transactions, even if one party is not in the EEA, may be subject to the new regulations.

PSD2 has been in the works for years, and it’s recently passed a significant milestone: January 13, 2018, was the deadline for payment organizations to update their terms and conditions (see Braintree's updated agreement) to incorporate regulatory changes and for individual EEA member states to adopt PSD2. While most of the changes have taken effect, merchants will have until September 2019 to comply with one key area, Strong Consumer Authentication. More on that later.

No doubt, the new directive could ultimately have far-reaching implications for financial services companies, merchants, and consumers. And while PSD2 itself has been finalized, the interpretations of the regulations are likely to vary from country to country.

As a leading provider of payment solutions, we’ve been analyzing PSD2 since the beginning. Given our status as a banking institution in the EEA, providing services for both consumers and merchants, we’ve been working with key decision-makers to provide insight into implementing the directive. We've spent hours and resources interpreting the directive to ensure we can leverage the new opportunities that have arisen from these regulatory changes with minimal impact to day-to-day operations for our merchants.

In the meantime, here's what you need to know about PSD2.

The Backstory

The European Commission adopted the original Payments Services Directive in 2007 to create a single market for payments in the EEA. As the growing digital economy gave rise to new players, however, regulators decided it was time for an update. The commission proposed a review in 2013, received approval in late 2015, and in 2017 the European Banking Authority published its final directive and regulatory technical standards (RTS) related to customer authentication and secure and common communications.

Although PSD2 is designed to create a common standard across member states, individual countries have some leeway on how they interpret and enforce the new directive. Hence, the uncertainty around what exactly merchants will need to do to comply.

The new directive includes more than 100 articles, but the most important changes for merchants fall under four categories: strong customer authentication, account access, licensing of marketplaces, and surcharging.

Strong Customer Authentication (SCA): Under the directive, merchants will likely be required to use SCA on at least some transactions when executing a payment. This means customers will need to provide two independent authentication factors, for the transaction to be approved. These factors are categorized as: “knowledge” -- something you know, typically a password or PIN; “possession” -- something you have, such as a device; and “inherence” -- something you are, typically a fingerprint or other biometric.

PSD2 makes it clear the applying SCA is the principle for all transactions, and exemptions will be narrowly defined. However, there are practical and safe exceptions such as low value purchases, or repeat transactions with a trusted merchant or beneficiary.

Again, the details are still a work in progress and will almost certainly require merchants to incorporate new security features into their checkouts. Whatever unfolds, Braintree has been working on solutions for merchants to update their integration as quickly and seamlessly as possible.

Access: Another key category of the new directive centers on open banking Application Programming Interfaces (APIs), known as "access to accounts" or XS2A. There are many facets of XS2A, but the primary aim is to level the playing field for alternative lending and payment providers by giving them direct access to customer account information, with consent. Opening up access to this data could result in new solutions for online payments as well as a number of improvements, to the benefit of consumers, merchants, and those who support parties on both sides of the transaction.

Within payments, XS2A is also likely to introduce an additional option for customers -- payments can be completed with their financial institutions in lieu of using a credit card or debit card. Expectations are high from those closely watching this area. Namely, there is the potential for XS2A to facilitate more competitive payment methods and make data more accessible to companies that previously relied on screen scraping and other less-accurate methods of data collection.

Licensing: This third area has been the source of stress, debate, and speculation for merchants who handle payments between buyers and sellers of other goods and services. Under the new directive, merchants that are viewed as marketplaces will be regulated under PSD2 and may need to take additional action, as exemptions that applied in the past may no longer be applicable. Now, some marketplaces may be considered a financial intermediary and therefore required to register as a payment institution -- at a significant expense -- or delegate payments to a licensed payment institution.

Merchants who think they may be classified as a marketplace should seek legal advice to understand how they may be impacted.

We understand the very specific needs of these types of businesses and we currently support many different types of marketplaces around the world. In conjunction with assessing your PSD2 obligations with your own legal and compliance teams, we would welcome a discussion to review the wide variety of tools and services Braintree can provide to assist in working within the regulatory guidelines.

Surcharging: PSD2 also puts tighter limits on surcharges for credit cards, debit cards, and other payments processed through an intermediary, such as Visa or MasterCard (American Express and other third-party payment methods aren't affected). These surcharges, which are often referred to as interchange, have been under increasing scrutiny over the past several years. That said, many countries in the EEA have banned surcharging.

The Upshot

While regulation is rarely associated with innovation, PSD2 has the potential to be a catalyst for major shifts in how payments are carried out, offering the potential for significant improvements in consumer and merchant experiences alike. In fact, Braintree merchants can expect to benefit from different aspects of these changes while not needing to take much action. Banks will be taking on the bulk of the burden to make consumer data available, service providers will have the opportunity to leverage access to this data, and merchants and consumers will reap the benefits of a more competitive landscape and a more secure payment experience.

Braintree has always been an advocate for simplifying payments, balancing security and convenience, and helping to ensure that our merchants have the tools, framework, and insight they need to navigate changes.

We think PSD2 should encourage more collaboration between traditional financial-services providers and alternative non-bank providers, including digital payment companies. This should benefit merchants' ability to serve their customers, manage their funds, and grow their businesses.

While many of the details of PSD2 are still a work in progress, our legal and technical experts are monitoring developments and are ready to implement the necessary changes to our platform as the regulatory roll out information unfolds. Stay tuned for more updates.

Sarah Stapp Sarah is an International Growth Manager and has been on the ride that is Braintree since 2010. More posts by this author

You Might Also Like