👍

PSD2 is in effect

PSD2 has been enforced in the EEA since 1 January 2021, and in the UK since 14 March 2022.

All merchants processing in these jurisdictions must follow the requirements of the mandate as described in this section.

Introduction

This page will describe the Payment Service Directive 2 (PSD2) regulation, providing merchants with an overview of the directive and its implications. References to PXP Financial's PSD 2 framework overview and API documentation will also be provided.

The PSD2 Regulation: An outline

What is it and why is it necessary?

The EU Payment Service Directive 2 (2015/2366 PSD 2) is a European Commission proposal to create a more secure landscape for European payments by providing increased consumer protection for online shopping, promoting innovation in payments, and unifying the European payments market. It is a revision of the original Payment Service Directive (PSD1).

The PSD2 mandate requires all electronic payments within the European Economic Area (EEA) to have Strong Customer Authentication (SCA).

PSD2 does allow for exemptions from SCA for specific payment use-cases, as well as scenarios which are out-of-scope of the mandate. Further information on these can be found below in the PSD2 Scope Section.

What is SCA and how does it work?

SCA is a two-factor authentication (2FA) process which validates that a payer is authorised to make use of a specific payment instrument. It is triggered when a payer initiates an electronic transaction and requires two or more of the elements from the following list to be demonstrated during the authentication process:

• Knowledge: Something only the payer knows (e.g. PIN or password)
• Possession: Something only the payer possesses (e.g. card or mobile device)
• Inherence: Something only the payer is (e.g. fingerprint or voice)

These elements are functionally independent from one another i.e. if one is compromised, it does not have an impact on any of the others. This provides a framework that is far more secure than single-factor authentication methods - static passwords for example - and provides users with a much higher degree of protection.

In addition, for remote electronic payments such as card payments, dynamic linking of transaction information is necessary.

📘

Even in regions where SCA is not mandatory, it is highly recommended

PSD2 Scope

Areas of Coverage

PSD2 applies in all EEA countries i.e. the 28 EU countries and Norway, Iceland and Lichtenstein, as well as the United Kingdom.

Out of Scope Transactions

There are a number of scenarios where PSD2 is out of scope. Bear in mind that the final decision on whether SCA is necessary will still be taken by the issuer.

The following types of transactions are out of scope:

Mail Order and Telephone Order (MOTO) transactions

MOTO payments are not considered to be in scope since the payment is initiated by paper or telephone instead of electronically.

Inter-regional/One leg out transactions

Where an issuer or an acquirer is located outside of the EU, meaning that the card is issued outside of the EU or the payment is acquired outside of the EU.

Anonymous transactions

Payment instruments such as anonymous prepaid gift cards are not in scope of the PSD2 regulation. issuers will be able to detect eligible cards that fall under this case.

Merchant-initiated transactions

A Merchant initiated transaction (MIT) is defined as a transaction or series of transactions, of a fixed or variable amount and fixed or variable interval governed by an agreement between cardholder and merchant, which once agreed upon, allows the merchant to initiate subsequent transactions without the involvement of the cardholder. When the initial mandate is set up electronically, SCA is recommended but should not be necessary for subsequent payments. A good example of a MIT is a subsequent recurring payment initiated when a cardholder is not present, after the recurring agreement has been set up.

Exemptions

The PSD2 regulation also allows for a number of exemptions. These are determined by factors such as risk, transaction value and payment channel.

SCA is not necessary for a payment transaction to which an exemption can be applied.

📘

Exemption Liability Shift

Where an exemption is applied successfully, liability will be shifted to the merchant.

The following exemptions are possible:

Low value transactions

Payments under the amount of 30 EUR. These are checked by the issuer and beyond a specific count of transactions (5), or a cumulative amount (100 EUR), will require SCA once again.

Low risk transactions

Transaction risk analysis (TRA) can be applied by the issuer in cases where there a transaction is assessed as low risk. While the Acquirer can request that a transaction be considered as low risk, the final decision will be taken by the issuer and depends on fraud levels being monitored at both acquirer-level and issuer-level.

Recurring payments

Recurring transactions are expected to fall under the MIT framework. However, SCA is still required when the recurring agreement is set up for the first time. Refer to the Handling Recurring Payments section for more details.

White-listed transactions/Trusted Beneficiary

During the 3DS 2 Authentication process, merchants may be added as a "Trusted Beneficiary" by the cardholder to a list maintained by the issuer. Further payments at this merchant will not require SCA.

Secure corporate payments

This refers to a special category of corporate payments which are made through dedicated corporate protocols and initiated by business entities. These do not concern individual cardholders.