❗️

PSD 2 Implementation: Advisory

PSD2 has been in effect since the originally mandated 14 September 2019 date.

At present nearly all impacted EEA states have moved to a transitional period in agreement with the European Banking Authority and the relevant National Competent Authorities, which will allow for more time and flexibility for the payments ecosystem in each respective region to prepare for PSD2. This transition period will end on 31 December 2020.

Merchants who are exclusively processing card payments for UK customers only may prepare for the 14 September 2021 date.

PXP Financial strongly recommends that all merchants implement the changes necessary to make use of our PSD 2 API, including Strong Customer Authentication with 3DS 2, as soon as possible.

Introduction

This page will describe the Payment Service Directive 2 (PSD2) regulation, providing merchants with an overview of the directive and its implications. References to PXP Financial's PSD 2 framework overview and API documentation will also be provided.

The PSD2 Regulation: An outline

What is it and why is it necessary?

The EU Payment Service Directive 2 (2015/2366 PSD 2) is a European Commission proposal to create a more secure landscape for European payments by providing increased consumer protection for online shopping, promoting innovation in payments, and unifying the European payments market. It is a revision of the original Payment Service Directive (PSD1).

The PSD2 mandate requires all electronic payments within the European Economic Area (EEA) to have Strong Customer Authentication (SCA). It was initially expected to come into effect on September 14 2019, but is now under a transitional period of implementation across the EEA.

PSD2 does allow for exemptions from SCA for specific payment use-cases, as well as scenarios which are out-of-scope of the mandate. Further information on these can be found below in the PSD2 Scope Section.

What is SCA and how does it work?

SCA is a two-factor authentication (2FA) process which validates that a payer is authorised to make use of a specific payment instrument. It is triggered when a payer initiates an electronic transaction and requires two or more of the elements from the following list to be demonstrated during the authentication process:

• Knowledge: Something only the payer knows (e.g. PIN or password)
• Possession: Something only the payer possesses (e.g. card or mobile device)
• Inherence: Something only the payer is (e.g. fingerprint or voice)

These elements are functionally independent from one another i.e. if one is compromised, it does not have an impact on any of the others. This provides a framework that is far more secure than single-factor authentication methods - static passwords for example - and provides users with a much higher degree of protection.

In addition, for remote electronic payments such as card payments, dynamic linking of transaction information is necessary.

📘

Even where SCA is not mandatory, it is highly recommended

Impact on card payments and 3-D Secure 1 (3DS1)

From the date when the PSD2 mandate becomes effective, Issuers will begin screening card transactions for SCA compliance and making the determination of whether or not SCA is necessary.

While 3DS1 will remain an accepted form of SCA under the PSD 2 regulation, it should be noted that 3DS2 brings a host of improvements to the user experience together with a much richer data set to enable Issuers to make their decisions regarding per-transaction SCA.

❗️

Merchants MUST support 3DS1 at a minimum

When the PSD2 regulation takes effect, a minimum level of SCA support is necessary. This means that either 3DS1 or 3DS2 must be implemented in those jurisdictions where PSD2 is applicable.

❗️

3DS1 will be deprecated at a future date

Please note that 3DS1 as a protocol will not be supported in perpetuity. 3DS2 will be the preferred protocol going forward.

PSD2 Scope

Areas of Coverage

PSD2 applies in all EEA countries i.e. the 28 EU countries and Norway, Iceland and Lichtenstein.

Out of Scope Transactions

There are a number of scenarios where PSD2 is out of scope. Bear in mind that the final decision on whether SCA is necessary will still be taken by the issuer.

The following types of transactions are out of scope:

Mail Order and Telephone Order (MOTO) transactions

MOTO payments are not considered to be in scope since the payment is initiated by paper or telephone instead of electronically.

Inter-regional/One leg out transactions

Where an issuer or an acquirer is located outside of the EU, meaning that the card is issued outside of the EU or the payment is acquired outside of the EU.

🚧

Transactions with UK-issued cards

Transactions initiated with UK-issued cards are considered as one-leg-out-transactions until 14 September 2021. Merchants who accept transactions from UK customers and haven’t prepared for PSD2 should start preparing to meet that deadline as soon as possible.
Implementation and testing instructions can be found on PSD2 Test Cases page.

Anonymous transactions

Payment instruments such as anonymous prepaid gift cards are not in scope of the PSD2 regulation. issuers will be able to detect eligible cards that fall under this case.

Merchant-initiated transactions

A Merchant initiated transaction (MIT) is defined as a transaction or series of transactions, of a fixed or variable amount and fixed or variable interval governed by an agreement between cardholder and merchant, which once agreed upon, allows the merchant to initiate subsequent transactions without the involvement of the cardholder. When the initial mandate is set up electronically, SCA is recommended but should not be necessary for subsequent payments. A good example of a MIT is a subsequent recurring payment initiated when a cardholder is not present, after the recurring agreement has been set up.

Exemptions

The PSD2 regulation also allows for a number of exemptions. These are determined by factors such as risk, transaction value and payment channel.

SCA is not necessary for a payment transaction to which an exemption applies.

📘

Exemption Liability Shift

Where an exemption is applied successfully, liability will be shifted to the merchant.

The following exemptions are possible:

Low value transactions

Payments under the amount of 30 EUR. These are checked by the issuer and beyond a specific count of transactions (5), or a cumulative amount (100 EUR), will require SCA once again.

Low risk transactions

Transaction risk analysis (TRA) can be applied by the issuer in cases where there a transaction is assessed as low risk. While the Acquirer can request that a transaction be considered as low risk, the decision will be taken by the issuer and depends on fraud levels being monitored at acquirer-level and issuer-level by the issuer.

Recurring payments

Recurring transactions are expected to fall under the MIT framework. However, SCA is still required when the recurring agreement is set up for the first time. Refer to the Handling Recurring Payments section for more details.

White-listed transactions/Trusted Beneficiary

During the 3DS 2 Authentication process, merchants may be added as a "Trusted Beneficiary" by the cardholder to a list maintained by the issuer. Further payments at this merchant will not require SCA.

Secure corporate payments

This refers to a special category of corporate payments which are made through dedicated corporate protocols and initiated by business entities. These do not concern individual cardholders.