One of the questions we have been asked a lot recently, here at Travlaw, is about the upcoming PSD2 changes, which are due in September 2019. In this article, Kate discusses what this is all about, and why those questions are timely!
PSD2: What is it, In a “Nutshell”?
The Second Payment Services Directive (“PSD2”) is an EU Directive that has seen implementation stages. Perhaps most notably for the travel industry (although it affected every walk of life) was the changes to card surcharging earlier this year. Certainly it caused a lot of discussion and angst at the time, in some quarters, but was otherwise well dealt with by the industry. That however, was not the final gift PSD2 had to give!
What Is Happening Now?
As of 14th September 2019, the next stage will come into force (regardless of the impact of Brexit!) and applies to all online transactions where both the payment service provider and the payer’s bank are located within the European Economic Area (EEA), although arguable where only one is based in the EEA, PSD2 should still be complied with.
The main thrust of the new stage is to implement two-factor authentication for online payments above the value of €30: adding an extra step to payment verification requirements. This extra step will ensure that online payments are more secure; reduce the risk of payment fraud; and emphasize security and innovation. The two-factor authentication is also referred to as “Strong Customer Authentication” or “SCA”, for short. This is, we feel, terminology that everyone will soon be well familiar with!
What is SCA, and how will it work?
Businesses typically use one authentication method for card payments and bank transfers, allowing for instant payment and/or access to account details. SCA will end this one-step process.
Now, only when a payer has been verified using two of the following authentications will SCA be satisfied and a payment be authorised:
1. knowledge (i.e. including passwords, card details, PINs, passphrases or secret answers); and/or
2. items in possession of the payer (typically mobile phone Apps, smart cards or tokens); and/or
3. inherence – perhaps better described as an “identifying characteristic”, so fingerprints, facial recognition, voice patterns, DNA and signature etc…
Will SCA apply to every transaction?
In short, “no”. The European Banking Authority has defined the exemptions to the SCA requirement in the following circumstances:
Payments below €30
Card transactions below €30 are considered ‘low value’ and are generally exempt from SCA. However, if the customer initiates more than five consecutive ‘low value’ payments or if the ‘low value’ payments exceed €100, SCA will be required.
When a customer makes a series of payments to the same merchant for the same amount (such as subscriptions and membership fees), the initial payment will require SCA but subsequent payments will be exempt from SCA.
Nevertheless, payments made periodically to the same payee where the value changes each time (e.g. a utility bill) will not benefit from the exemption.
Customers will have the option to ‘whitelist’ a merchant that they trust once the first SCA authentication is completed. The customer’s bank will maintain this ‘whitelist’ and subsequent transactions to a whitelisted merchant are likely to be exempt from future SCA.
However, issuers can still reject, challenge or request SCA to a ‘whitelist’ request if there is a high risk of fraud.
Card details collected over the phone do not fall within the scope of SCA. The customer’s bank will have the ultimate decision to accept or reject the transaction.
When a transaction is initiated by a business rather than a consumer, and it is processed through a secured dedicated payment protocol, it does not require SCA provided that alternative controls are sufficiently secure. This should include ‘secure virtual payments’, such as virtual cards or B2B cards.
Low risk transaction
If a transaction through a real-time risk analysis is deemed to be low risk, SCA may not be required. However, complex conditions are imposed as merchants have to rely on a payment service provider (PSP) (e.g. an acquirer) to act upon their exemption request. The PSP must however, satisfy the additional prescribed conditions.
Worth noting that, like so many laws at EU and UK level in recent times, this is all about consumer protection. This newest element of PSD2 is deliberately designed to increase security measures for online transactions and assist with the development of payments. However, there is no getting away from the fact that the day-to-day impact of the SCA will be to:
Increase IT costs to travel businesses as you adapt your systems to make sure all will run smoothly. We recommend that you check in with your merchant services providers on this, if you haven’t already;
Increase the likelihood of declined payments generally, especially in the early days. Your systems and staff need to be ready to explain and be patient with those booking!
TravLaw are the providers of BETA’s Legal Hotline
If you are interested to know more about PSD2 or the implementation of PSD2 within your business, feel free to contact Kate or Luke.
Find out more about Travlaw here