What is Payment Services Directive 2? 

The PSD2 is a customer-oriented regulation that enhances customer control in terms of who can access and use their financial information from third-party providers, which also simplifies payment processes using strict security measures. It facilitates a customer-centric model of financial services through secure and seamless payment processing and transforms how we interact with digital financial services. 

What PSD2 Brings in the Next 5 Years?  

With the introduction of PSD1, a new secured and organized model for payment services was made available in the market. It dealt with issues of transparency, ways to protect customers, and policies about payment service providers. However, it failed to keep up with the fast growth of digital payments, such as the digitalization of payment methods, the emergence of third-party service providers, and security concerns. This is where PSD2 steps in, bridging such gaps and preparing the payment sector for future changes. Here’s how PSD-2 is heading in the next 5 years: 

Stronger Global Influence of SCA

PSD2 emphasizes the need for Strong Customer Authentication (SCA) across the world. This regulation requires secure means of making payments and dynamic linking of transaction amounts to authentication data, ensuring end-to-end security for digital payment processes.

Expansion of Open Banking  

As PSD2 encourages open banking by promoting the use of Application Programming Interfaces (APIs), it enables financial entities and Third-Party Payment Service Providers (TPPs) to connect their different systems seamlessly.

By using APIs, banks securely exchange their specific data or services, including account details, payment initiations, etc., to authorized TPPs. This results in TPPs offering financial services to customers, therefore promoting open banking.

Increased Collaboration between Banks and TPPs  

PSD2 removes the previous restrictions for non-banks, enabling Third Party Providers (TPPs) to offer payment initiation and account access services beyond the EU. There are mechanisms prescribed in the directive that bridge the old systems of operation and new systems. 

Improved Cross-Border Payment Framework 

With the introduction of PSD2, the cross-border payments system becomes more effective as it demands the disclosure of fees, exchange rates in real-time, and exact time frames for the processing of the transaction. A standardization of payment processing standards and protocols, alongside effective privacy and security controls, promotes the efficacy of performing cross-border transactions and reduces the costs involved at the same time, thereby enhancing the EU’s internal market and competitiveness on a global scale.  

Such advancements facilitate effective and efficient interactions between financial institutions and TPPs within the EU. These measures will no doubt position the EU as a leader in digital financial innovation. Also, these advancements guarantee a dynamic structure of payments, enhancing PSD2’s impact and ensuring a safer, interoperable, and user-oriented payment field for financial institutions and TPPs. 

Two Core Focus Areas of PSD2 Compliance  

The PSD2 regulation places a strong focus on two essential areas: 

• Eliminate monopoly by increasing competition in the market and encouraging innovation.

• Securing customer-sensitive data and enabling secure transactions.

Elimination of monopoly 

PSD2 has reformed the financial ecosystem by providing fair opportunities and encouraging other forms of creativity, thus reducing the monopoly of conventional banks. This is possible due to the inclusion of two new regulated services, as follows:

Payment Initiation Service (PIS)

This service makes it possible to pay for goods or services without having to use a specific application from the bank, thereby decreasing the need for conventional payment methods and providing more paths for consumers. This is an open banking aspect whereby a Payment Initiation Service Provider (PISP) plays a critical role. PIS allows the consumer to pay through specified PISPs, i.e., previously validated third-party applications handle payments on behalf of the user. This aspect adds flexibility and user-friendly enhancements. 

Account Information Service (AIS)

This service enables third parties, known as Account Information Service Providers (AISPs), to combine bank account information from various banks. It helps users to manage their funds from a single location and even track their spending habits effectively. Also, the user is not charged for any card transaction as they can pay straight from their banking account.   

For these services to be availed, PSD2 compels banks to provide access to a licensed third-party payment services provider through APIs, thereby ensuring there is an ecosystem that is not only customer-oriented but also eliminates monopolistic trends.  

Securing customer-sensitive data and enabling secure transactions 

The widespread adoption of digital payment methods has transformed the financial ecosystem and has undergone a major evolution. However, the issue of protecting sensitive customer information and preserving the integrity of transactions has become a critical concern. The PSD2 addresses such threats of data breach and fraud as it implements Strong Customer Authentication (SCA), which improves the processes of verifying users, and the Secure Open Standards of Communication (CSC) to protect transferred information from being accessed by unauthorized persons.  

1. Strong Customer Authentication (SCA)  

The implementation of Strong Customer Authentication (SCA) is a key provision of PSD2, aiming to enhance security levels in payment transactions and protect client data from unauthorized access. SCA requires all online service providers processing payments to apply multi-factor authentication (MFA), meaning that a user must verify their identity using two or more out of three different authentication factors. 

• The first factor, Knowledge, refers to something that the user knows, such as a password or personal identification number. This acts as the first barrier to entering the servers or any other critical assets.

• Second, Possession refers to something that the user owns, like a cell phone or hardware token. For example, a user can receive a one-time password (OTP) via mobile text messaging or use a device application to create an authentication code.

• The third factor, Inherence, is something that the user is, such as biometric patterns like fingerprints, facial structure, or voice recognition. SCA enforces biometric verification, which is unique to everyone, adding an additional layer of security.

For example, in electronic banking transactions, the user first enters the banking password or PIN, which acts as a ‘Knowledge’ factor, which triggers an OTP sent to the user’s registered mobile phone to fulfill the ‘Possession.’ Apart from that, to add extra security, they may also require the user to authenticate using ‘Inherence’ by verifying with a fingerprint or facial recognition. Thus, protecting the user under the multi-authentication process. 

2. Dynamic linking 

Dynamic linking is a feature of SCA enforced by the PSD2 for protection against transactional fraud. This involves the creation of an authentication token that is unique and is generated in advance for a particular transaction, such as the amount and payee. 

• Net Transaction Tokens: Each token is issued for a specific transaction and cannot be reused for any other amount or recipient. This prevents playback attacks, where authentication tokens are reused for illegitimate transactions.

• Tamper Evident: Any alteration of transaction data, including past tokens or trying to conduct a transaction, will lead to the cancellation of that transaction. Thus, only intended transactions will proceed, increasing overall security.

3. Secure Open Communication Standards (CSC) 

To protect interactions between banks and third-party providers (TPPs) after third-party access is introduced with PSD2, Secure Open Communication Standards (CSC) are also established, which consist of: 

• Secured Access: APIs are developed by the banks for TPPs while ensuring the privacy of customer data. This is aimed at enhancing the past practices of accessing data, such as screen scraping, which involved copying data present on a screen. With the help of APIs, data is exchanged in a more orderly and secure manner, reducing security risks.

• Confidentiality and Integrity: Trusting communication established by the respective bank and TPPs should ensure that transferred data remains secure from breaches and is only accessed by relevant individuals to maintain its integrity.

• Digital Certificates: This type of certificate ensures that only trusted individuals who are authorized can access consumer information, therefore enhancing security. For instance, recognizing eIDAS-based digital certificates secures the identity of the parties involved in transactions.

A Comprehensive Overview of PSD1 

In 2007, the European Union Payment Services Directive 1 (or PSD1) was introduced to harmonize payment processing in the EU and create a common market for payments. The directive was set up in 2009 and defined rules for payment services, legalizing the infrastructure of bank payments in Europe with the application of the Single Euro Payments Area (SEPA). This infrastructure, powered by International Bank Account Numbers supported by Direct Debits, made payments across European borders effective. The directive opened the market to new payment service providers while facilitating cross-border operations for enterprises in the EU. 

The Objective 

The directive aims to cover all forms of payment, whether electronic or not, across the European Economic Area (EEA), consisting of the EU, Iceland, Norway, and Liechtenstein. It benefits the European economy globally by integrating the Member States into a singular economy featuring swifter payments within the region, higher transparency for the consumers, and stronger rights regarding refunds. By legally framing payment services, PSD1 achieves an even higher level of compliance with the acceptance of certain standards by all payment service providers and enhances the reliability and security of transactions across Europe. 

Why PSD1 evolved into PSD2?

Digital evolutions in payment mechanisms prompted the European Commission to update the Payment Services Directive towards the end of the year 2013. Thus, in 2014, a directive was proposed to supplement the existing legal texts with provisions of continued consumer protection, security enhancement, and the creation of a more open and competitive payments market. This was known as PSD2, which was approved in 2015 and adopted by 13 January 2018. 

What are the key changes between PSD2 and PSD1?

Where is PSD2 applicable, and who should comply?  

PSD2 applies across all the EU member states, governing financial institutions, payment service providers, and all other parties involved in such payment systems.  

While the regulation primarily focuses on consumers in the EU region, any payment service provider, bank, or financial institution outside the European Union that has customers in the European Union or provides services to individuals in the European Union is also subject to the provisions of the PSD2 regulation.  

Who needs to comply?  

Compliance with PSD2 is required for several entities within the financial services sector. 

• Banks, including both legacy banks providing payment services or accounts in the European marketplace and Fintech and Neobanks, which are technology or digital banks as well as other non-entry institutions providing payment or account access services in the region, must adhere to the regulations.

• Third-party providers, as well as foreign providers of payment services, are entities developed outside the EU that offer payment services to EU citizens or, in some cases, residents and must also be compliant.

Requirements 

1. Implement Strong Customer Authentication (SCA) 

One of the essential requirements of the revised Payment Services Directive (PSD2) is that banks should implement Strong Customer Authentication (SCA) for remote access to customer accounts and for online payments as a security measure through two-factor authentication methods. Therefore, two of the three factors will apply: something they know (password), something they have (smartphone or token), or something they are (biometrics like fingerprints or facial recognition).  

2. Security

Security is accomplished primarily through APIs with identity authenticated via PSD2 compliance certificates. These SSL/TLS certificates encrypt sensitive data and authenticate banking entities and third-party payment service providers (PSPs) for trusted commerce transactions on websites. This approach to enhanced transaction security relies on a process called Strong Customer Authentication (SCA), a new requirement that introduces specific technical standards such as PSD2-compliant certificates and requires Multi-Factor Authentication (MFA). 

3. Digital certificates 

The Regulatory Technical Standards (RTS) define the two main requirements that involve the use of digital certificates. These are as follows: 

 i) For the identification of payment service providers: Article 34 of RTS states that Payment Service Providers (PSPs) must identify themselves to the financial institution’s API. Therefore, RTS requires the use of a Qualified Website Authentication Certificate (QWAC) or Qualified Electronic Seal Certificate (QSealC) when accessing a customer’s account information.  

ii) For applying secure encryption between all the communicating parties: Article 35 of RTS states that all the communicating parties, such as PSPs, financial institutions, etc. Must be encrypted by using “strong and widely recognized encryption techniques.” 

The Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) and Common and Secure Open Standards of Communication (CSC) specify two types of digital certificates for financial institutions and TPPs for secure communications to comply with PSD2. These are as follows: 

• Qualified Website Authentication Certificate (QWAC)

These are used to protect data in peer-to-peer communications and to identify the endpoints, like banks and third-party providers (TPPs). This implies that all the data passing through the channel is protected in terms of authentication, integrity, and confidentiality. 

These types of certificates use SSL/TLS protocols defined in the IETF RFC 5246 or IETF RFC 8446 to encrypt the sessions and protect the data in transit. 

• Qualified Certificate for Electronic Seals (QSealC)

These are used to create e-seals for the protection of data or documents using standards such as ETSI’s PAdES, CAdES, or XAdES and claim their origin from a legal entity. It provides protection to specific blocks of data at rest and data in transit, i.e., end-to-end, even if passed through an intermediary.

These certificates provide authentication and confidentiality. 

PSP Certification Process: 

Step 1: The PSP is required to register itself with its respective National Competent Authority.    

Step 2: The PSP will now request a Qualified Trust Service Provider (QTSP) to avail themselves of a qualified certificate.  

Step 3: The QTSP uses the public register created by the National Competent Authority to validate the PSP, and then it issues the QWAC and/or QSealC to the PSP.  

Step 4: Once the PSP has obtained the qualified certificate, it can use the financial institution’s API(s). These API (s) grant them access to customer information and payment networks. Here, the role of QWACs and QSealCs comes in as they are used to identify the PSPs and encrypt the communication between the parties.  

Step 5: Now, whenever a customer wants to view his data, the data is securely transferred from the financial institution to the end customer via the PSP. 

4. Ban on surcharges 

Under PSD2, companies such as airlines and event organizers are forbidden from charging additional fees added to the transaction, also known as a surcharge. This implies that PSD2 has defined a surcharge ban for ticketing, food, and travel purposes. 

5. The reidentification process for credential reset 

Reidentifying will take place when the credential reset process occurs, and banks should then ask customers who forget or misplace a key element to undergo reidentification before allowing electronic payments and transactions. Reidentifying themselves means the customer has to undergo reidentification to their bank through the Strong Customer Identity Verification (SCeID) process for verification of their identity. 

Understanding PSD2 Exemptions 

PSD2 contains several exemptions, and most of these are concerned with payment amount:  

• Recurring payments or transactions under 30 Euros can be exempted.

• High-value transactions may also be exempted if the bank is successful in proving that the transaction is below a certain risk level through risk analysis, such as:

– 100 euros for fraud rates below 0.13%.

– 250 euros for fraud rates below 0.06%.

-500 euros for fraud rates below 0.01%.

The Benefits of PSD2   

Concrete Impacts of PSD2 on Consumers and Businesses 

1. Enhanced security  

The PSD2 presents numerous benefits to consumers, most notably increased security. This includes consumers having to prove their identity through two or more factors whenever they make online payments due to the new policy on Strong Customer Authentication (SCA).  

For instance, when consumers make a purchase through the Internet, they are expected to input their password, which is the Knowledge factor. Then, an OTP (Read One Time Passcode) is received. Afterward, the consumers confirm their identity through fingerprint recognition. All of these are layered to secure the transaction and to reduce fraud.  

2. Expansion of payment methods 

Another benefit provided by PSD 2 is the increase in payment methods. This information allows third-party payment services to send the payment request to the customer’s bank through Payment Initiation Services (PISPs). For example, an online payment can be made from a bank account, a form of payment that is different from the usual card payment.  

PSD2 allows consumers to access information about their finances using account information services collected from various providers. For example, it allows people to directly view their financial data across different banks on an app to give a clear picture of their finances and help them make informed financial decisions. This level of transparency and control empowers consumers to stay on top of their financial health with ease.   

3. Increased trust in businesses 

Increased trust among customers is one of the major advantages that the PSD2 provides to businesses. Thus, by adhering to security and safety measures, companies demonstrate to protect their customer’s sensitive data and transactions, building more customer trust. For instance, an online retailer using SCA assures that its customers’ payment information is secure and increases the levels of assurance.  

Not only is it subject to increasing competition and innovation, but it also includes the involvement of third-party providers, with customer consent, to allow access to customer data. With that, new services and products created by businesses are possible. For example, a fintech company developed a budgeting tool linked to the bank account of a customer that would give personalized advice from transactions within the customer’s history, which was something not possible before PSD2.   

4. Efficient operations in businesses  

Operational efficiency is executed through API-enabled secure communications between banks and third parties. Therefore, a business that integrates a bank’s API for direct payments can reduce payment processing times and provide a more seamless experience for its customers. 

Key Challenges  

1. For businesses

There are many challenges businesses face when implementing PSD2 while keeping its competitive stride.  

• High regulatory compliance costs

Achieving compliance with PSD2 can be costly as companies adhering to it find upgrading and securing data systems to be resource-straining, particularly for smaller organizations. Traditional banks must compete with agile fintech companies. Otherwise, they are bound to lose customers. 

• Integration of systems

As organizations install third-party services without disrupting current operations, it leads to the ever-present risk of severe security breaches, making it necessary for businesses to focus on the security of customer data and make sure that third-party providers are compliant with the strongest security measures.

• Consumer education

The reasons for the extra authentication steps and the new financial applications they may be using should be clearly provided to customers. Also, they should be adequately supported rather than introduced into this environment to make it more trusting with respect to PSD2. 

2. Security challenges

The PSD2 aims to enhance innovation and improve payment services across Europe, but while it simplifies the banking and payment ecosystem, it also introduces several security challenges.  

• Risks of cyber attacks

PSD2 has allowed third-party providers to access banking APIs and customers’ account data with user consent. It is a significant boost for innovation; however, it also attracts more attention from cyber criminals to these accounts. This is because it creates multiple points through which an attacker can exploit just one of them to gain access to highly sensitive financial data and cause a breach.  

This happens because the directive particularly emphasizes collaboration between banks and third-party players, which results in a lot of data being shared. The more sensitive payment and personal information divided among several entities, the greater the risk of misappropriation by any one entity. This leads to data breaches and errors due to mishandling because of inconsistent security measures.

• Complex transaction monitoring

Transaction monitoring is required to establish an anti-money laundering (AML) framework. However, this becomes more complex with PSD2 because it scatters financial data across many stakeholders. This fragmented data makes it more challenging to ensure compliance everywhere, generating loopholes for fraud in the system as it gets harder to track suspicious transactions with regulatory compliance across all parties involved.  

Therefore, a clear need for strong measures such as strong user authentication, data encryption, and continuous monitoring is required in solving PSD2 and open-banking security challenges. 

Conclusion   

The Payment Services Directive (PSD2) introduces a revolution in the European landscape of financial services. It brings in the aspects of security, competition, and customer rights, making consumers the ultimate stakeholders in their data. Most of the changes will be incorporated within existing entities, such as banks and fintech companies, as well as overall processes, such as consumer behavior, which will contribute to the emergence of a more secure and better financial services provision to consumers.