Research on the consequences for the global online payments market of the European Union’s revised Payment Services Directive (PSD2) concludes the stricter requirements for fraud prevention will drive fraud to other regions such as the US It also finds that most companies are unprepared for PSD2.
The report, PSD2: Advent of the New Payments Market in Europe, is produced by security software provider iovation working with research and advisory firm Aite Group.
By September 2019 payment service providers (PSPs) in the European Economic Area (EEA) are required to comply with the directive's requirements for strong customer authentication (SCA) and third-party access to bank accounts or risk their payment provider licence being revoked.
Lack of awareness
However, the report cites a recent study by Mastercard that found only 25% of European online merchants are aware of SCA requirements under PSD2, while 14% already support SCA, 28% said they will be SCA ready by September and 24% have no plans to support SCA.
The report notes that since companies providing payment services in the EEA are subject to the regulation, even businesses with headquarters outside Europe might need to comply.
“The zeitgeist of regulations with extra territorial effect like the general data protection regulation (GDPR) continues with PSD2,” said iovation compliance manager, Mark Weston. “This will have long-standing operational implications to companies wherever they are based.
“The merchants that succeed post PSD2 will be those that make consumer authentication as effortless as possible through methods like 'invisible' device-based authentication and biometrics. And with the likes of Facebook and Google becoming payment processors, merchants are going to have to compete with an ever-widening marketplace.”
PSD2 introduces two major changes:
- Strong customer authentication: PSPs must apply two or more (multifactor) authentication methods for all electronic transactions unless such transactions qualify as "low risk."
- Third party access to payment accounts: Banks, card issuers and other financial institutions holding payment accounts must provide access to third-party payment service providers for the following services:
i) Account information services like balance and transaction information;
ii) Initiating payments directly from customer's bank accounts
iii) Availability of funds check to see if there are sufficient funds on the cardholder's bank account
“PSD2 changes the rules of the game for the global payment industry and is based on some of the same principles that constituted GDPR, enforcing consumer protection and security requirements on companies operating in the EU,” said Aite Group senior analyst, Ron van Wezel.
“Varying choices in the implementation of the SCA requirements on a country and individual bank level, differences in interpretation of the directive, and different timelines may create confusion that merchants have to navigate. Businesses should be sprinting to get their house in order.”
Like this item? Get our Weekly Update newsletter. Subscribe today