One of the newest regulations for payment services and processors is the European Union’s Payment Services Directive or PSD2. The PSD2 began taking effect in September of 2018 and is designed to boost digital banking innovation while increasing security and consumer rights. Although PSD2 is an EU regulation, it’s expected to have a major impact on how banks, payment processors, and fintech firms do business globally.
Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test
In this article, we’ll cover the basics of PSD2, how it’s structured, and the requirements it sets forth. You’ll also learn who exactly PSD2 impacts and how to best prepare for when it affects your organization.
- What is PSD2?
- PSD2 Compliance Requirements and Controls
- Key Changes & Who They Impact
- What PSD2 Means for Your Business and How to Prepare
What is the Payment Service Directive (PSD2)?
PSD2 is the EU’s attempt to both encourage innovation and protect customers in a single regulatory effort. More specifically, the two major areas that PSD2 will impact are customer authentication and third-party access to consumer accounts. The regulation will mandate stronger requirements for online transactions using multi-factor authentication (MFA). And to provide better service and enhanced innovation to customers, third-party services will be able to access accounts through an application programming interface (API) if customers give consent.
PSD2 Timeline
Here’s a brief timeline of PSD2 along with the very latest status and updates:
- 2007. The EU enacts the very first Payment Services Directive (PSD) to create a unified payment market in the European Union.
- 2013. The EU recognizes the need to update PSD based on technological changes and formulates the groundwork for PSD2.
- January 2016. The first stage of PSD2 begins as EU member countries vote to pass the regulation to be enacted in 2018.
- June 2017. An open, harmonized API for the EU is introduced, enabling third-party access under PSD2 standards.
- November 2018. Strong customer authentication measures are introduced under PSD2 to better protect consumers from digital payment fraud.
- January 2018. All EU member states officially pass PSD2 and agree upon a future timeline for implementation.
- December 31, 2020. After multiple deadline postponements, PSD2 officially goes live and in effect for all EU member countries.
Which Regions Are Impacted?
The PSD2 applies directly to consumers in all EU member nations. While the primary focus is on EU banks and payment processors, companies whose headquarters are outside the EU may be subject if they have customers or users within EU jurisdiction. For instance, US companies still need to ensure that their EU business units are PSD2 compliant. So, if your company is even considering expansion into the EU market, you’ll need to become PSD2 compliant at some point in the future.
PSD2 Compliance Requirements and Controls
Under PSD2, companies are required to bolster how their customers securely interact with their accounts, in addition to how third parties access accounts via API.
Open API for Third-Party Access
The primary technological requirement for PSD2 compliance is providing an API that allows account information service providers (AISPs) access to customer information when it’s granted by the consumer.
Multi-factor Security Authentication
The other core aspect of PSD2 is that all payment processors and digital banking providers utilize multi-factor — or at least two-factor — authentication for user login. This is usually a combination of things like PIN numbers, biometrics, and text message verification.
Greater Customer Transparency
Per PSD2, companies need to provide more transparency in a couple of areas. First, companies will have to streamline the language in their terms and conditions to become more customer-friendly. They’ll also need to provide more transparency in currency conversion rates used in transactions.
Timely Complaint Resolution
The PSD2 also requires payment providers to resolve complaints in a timely manner. The regulation also stipulates exactly how incidents should be reported to EU regulatory bodies, customers themselves, and relevant law enforcement in the event of a criminal breach.
Surcharge Ban in Certain Instances
Under PSD2, merchants are prohibited from applying surcharges in certain instances. Ticketing, food and travel, and delivery websites can no longer charge additional fees for paying by debit or credit card, for example. The surcharge ban applies in both B2C and B2B settings.
Key Changes & Who They Impact
The changes from PSD to PSD2 are primarily aimed at reducing large financial institutional control over user data and increasing consumer rights. While some of the same controls and principles remain the same from PSD to PSD2, there are a few key differences:
- Consumers. PSD2 will allow businesses like Amazon to retrieve bank account data with permission. This is designed to help streamline the payment on online shopping experience for consumers while encouraging innovation.
- Brokerages. Under PSD2, banks and brokerages will need to be more transparent in their currency exchange rates used to process online payments. They’ll also be banned from charging certain processing fees.
- Banks. As they’re responsible for mitigating fraud risk, banks will need to implement advanced security controls. This includes analytics to validate the origin of inbound API calls and robust tools to detect fraud and cyber-attacks.
The introduction of PSD2 means banks, payment processors, and brokerages will all have to tweak how they approach customers and manage cybersecurity. But despite some challenges that PSD2 presents, there are benefits to the financial industry as a whole.
Challenges and Benefits for Banks
New transparency standards mean that pricing competition will likely intensify, as consumers now have more information and are able to shop around. This could mean a reduction in revenue as well as market share. Banks may also experience a reduction in customer touchpoints, as third-party services will be able to provide more of the digital banking experience via the API mandate in PSD2. Few touchpoints mean reduced opportunities for upselling and cross-selling of products and services.
However, PSD2 also creates opportunities for banks to compete as innovators, using their advanced analytical tools to extract valuable customer insights based on the mass amounts of data they’re already sitting on. Although third-party services can now access accounts, banks still control most of the data and can potentially tailor service just as well — if not better — and retain their role as trusted advisors. Moreover, banks can leverage these fintech players and third parties to either perform services that banks no longer want to, or as a lead generation source for new customers.
How PSD2 Will Affect the US Market
The PSD2 regulation will impact US businesses in a few key aspects, as merchants and card issuers aim to standardize security measures on a global basis.
Potentially Increasing US Fraud
One of the biggest impacts might be an uptick in fraud incidents in the US, as hackers may be less inclined to target the EU due to enhanced security measures. For instance, fraudsters are no longer able to test fake cards under security measures enacted under PSD2 and therefore may turn to the US for these and other fraudulent activities.
Compliance for EU Business Units
Companies doing business in the EU — although they may be based in the US — should still expect their European business units to comply with PSD2 mandates. And if a US business receives a good portion of web traffic or customers from the EU, they should also strongly consider PDS2 compliance.
Implement 3-D Secure Version 2 (3DS2)
While the EU was working on PSD2, the payments industry was working on a new authentication standard called 3-D Secure version 2 (3DS2). The goal is to have this standard implemented around the world, so US companies should expect to meet 3DS2 specified security and authentication requirements, even though PSD2 may not directly affect them.
What PSD2 Means for Your Business and How to Prepare
Depending on what type of business you’re in, preparing for PSD2 will require a few steps and measures.
Start Implementing MFA
Because MFA is core to PSD2, you’ll want to ensure that all of your apps, services, and platforms have this measure implemented. This applies to any merchant, processing, or digital banking service.
Audit Your EU Operations
Depending on whether you have business units in the EU — or if you receive significant traffic from Europe — you’ll want to audit your operations for PSD2 compliance. This means implementing MFA as above, as well as complaint response processes in alignment with PSD2.
Up Your Anti-Fraud Efforts
Because PSD2 security measures will likely make things like card-not-present fraud more difficult in Europe, you’ll want to prepare for a possible uptick if your business is based out of the US. Make sure to implement things like strong firewalls and conduct penetration testing. Becoming PCI compliant will help you prepare as well.
Closing Thoughts
Now the PSD2 is in effect, financial innovation is set to increase along with consumer protections in the EU. Depending on what kind of services you offer — and where your customers come from — consider working with an experienced compliance partner to make sure you have all the right measures in place for PSD2 compliance.
Adopting other cybersecurity frameworks like ISO 27001 can also generally improve your cybersecurity posture and guard against any potential uptick in US fraud that may result from PSD2’s hacker deterrence.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.