PSD2

Conversion to Compliance: How PSD2 Affects Your Business

Regulators in the EU and UK markets have implemented several sweeping overhauls to payment standards in recent years. Their goal was to create a more standardized, universal payments space; one banking standard “to rule them all,” if you will. The revised Payment Service Directive, or PSD2, is a prominent example.

PSD2 should have opened a world of new opportunities for consumers and businesses. But, like any significant policy change, regulators left a fair amount to be desired.

In this article, we’ll go over what PSD2 is, who it pertains to, and the effects it’s had on commerce since implementation. We’ll also consider where we might go from here, and how businesses should respond.

What is PSD2?

The original Payment Service Directive was put in place to facilitate pan-European competition, increase consumer protections, and standardize the rights and obligations of payment providers and users. The PSD worked to some extent, but a number of issues remained. For instance, entities that could operate as financial institutions in one country might not be able to do so in another, or the standards for best practices might differ across borders.

Enter PSD2.

Revised Payment Services Directive (PSD2)

[noun]/* rǝ • vīzd • pā • muhnt sur • vis • es • dǝ • rek • tiv/

The Revised Payment Services Directive (PSD2) is a ruleset administered by the European Commission. Its purpose is to regulate payment services and payment service providers throughout the European Union and European Economic Area, allowing new entities to operate as financial institutions with proper oversight.

Building on the original directive, PSD2 goes even further in creating a more integrated and competitive market. It breaks down barriers to entry for new payment services. Thus, PSD2 should benefit consumers by creating a more competitive market (in theory).

PSD2 also focuses on greater data security standards. It mandates Strong Customer Authentication standards and expands overall consumer rights. The directive limits costs associated with card payments and mandates better fraud protection for consumers.

PSD2 &  Third-Party Banking Providers

Consumer trust issues have underscored the belief that banks are safer than third-party entities. At issue is the fact that the banking business is hard to get into. The extensive security protocols and licensing requirements create a significant obstacle for newcomers. PSD2 regulations are changing this situation.

Platforms like PayPal, Apple Pay, and others are gaining increasing acceptance. Consumers have demonstrated more faith in outside services year over year. At the same time, PSD2 will continue to make it easier for non-banks to enter the financial service arena.

Perhaps the biggest change resulting from PSD2 concerns Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs). Under the new PSD2 regulations, both consumers and businesses operating in the EU are free to use these third parties to fill roles previously restricted only to banks.

What are AISPs and PISPs?

PSD2 allows for more open banking. This means, for example, that sites like Facebook and Google can now offer their users a host of new financial services.

Options range from checking balances and information on multiple accounts to making online payments via direct transfer of funds instead of using a credit or debit card. These services can be specific, or can be provided all within the same platform by an account information service provider (AISP) or a payment initiation service provider (PISP).

What are the Benefits Offered by AISPs and PISPs?

The introduction of AISPs and PISPs allows non-banks to provide specific financial services, unburdened by traditional business models. Theoretically, a third-party resource's allowable financial services can “piggyback” on a bank’s existing infrastructure. This is made possible using open APIs (Application Program Interfaces).

The kind of open banking this facilitates means companies can offer credit faster and more easily, with less restrictions. They can also facilitate a smoother process, with more redundancies in security checks.

This does not mean, of course, that banks are out of the picture. Banks are obligated to provide third-party players with access to customers’ accounts, assuming the account holder grants permission. But, AISPs and PISPs are still not banks; there are services they will be legally prohibited from offering.

There are other concerns to keep in mind, too. For instance, having third-party platforms provide services through banks means adding another entry point to a given transaction chain. Every entry point has the potential of being a weak link in that chain…a fact fraudsters are sure to exploit.

Who Must Comply with PSD2?

PSD2 applies to payment service providers and financial institutions in the EEA. The rules outline authentication requirements that each party is expected to implement. They also impose specific rules regarding customer-initiated electronic payments and customer payment accounts.

The law impacts eCommerce sites, too. It can impact any business that accepts payments from consumers, or businesses or services using payment or customer data and services that assist in the electronic payment process.

Regulators extended the deadline for PSD2 compliance for several years. However, the final deadline for PSD2 compliance was March 14, 2022. Now, customer-initiated electronic payment transactions must go through strong customer authentication protocols unless they qualify for a very specific exclusion or exemption.

SCA Exemptions Allowed Under PSD2

Essentially, everyone who takes or manages payments in the EU or UK must be PDS2 compliant for most transactions. There are, however, a few exceptions to the rule that may apply in specific circumstances.

Possible SCA exemptions include:

Other exemptions may apply in the future, as PSD2 regulations are relatively new. While this might offer a bit of a break from these behemoth changes to well-established payment routines, merchants are less enthusiastic about the changes.

Merchant Issues With PSD2

PSD2 implementation has gone fairly smoothly for most parties. This probably owes to the several years of delays allowed for the compliance deadline. That said, there are three points at which PSD2 adoption has negatively impacted operations:

Maintaining an optimized customer experience is already a challenge. However, PSD2 has exacerbated the matter. Today’s consumers value smooth-yet-flexible service at least as highly as security (if not higher). Merchants often struggle to find ways to provide a frictionless experience, especially since implementing the required security measures causes friction, almost by definition.

SCA security protocols are a step in the right direction for consumers, merchants, and banks. But, finding a way to implement that security without negatively influencing the customer experience is proving problematic.

The Consumer’s right to file chargebacks on credit and debit card purchases is guaranteed under the Fair Credit Billing Act of 1974 in the US. It is covered in the UK by Section 75 of the Consumer Credit Act. Customer disputes are different with PISPs, though. Since these are not credit or debit card transactions, there’s no guarantee that a service provider can resolve customer disputes when goods or services aren’t received.

Of course, the system is in desperate need of an update for the eCommerce age in general. Chargebacks are widely abused and used to commit friendly fraud. That said, chargebacks remain an essential consumer protection tool, ensuring that consumers won’t pay the price for fraud.

Thus far, PISPs have not proved themselves in the arena of disputed transactions just yet. Many merchants have seen little-to-no fluctuations in the frequency of disputes, aside from a general rise in post-pandemic CNP transactions and their resulting chargebacks. This is a “remains to be seen” situation.

If you have any transactions with parties in the EU, the PSD2 will affect your business, no matter which side of the pond you call home. Merchants in North America will need to abide by some (though not all) of the new regulations to access consumers in EU member states.

Another significant concern circling the globe due to PSD2 compliance is the increased reliance on 3-D Secure 2.0 technology. Since PSD2 requires SCA to verify users, many merchants sought 3DS solutions to comply with the directive. This turned out to be a mistake, as PSD2 affects every aspect of 3DS software with some startling side effects.

Authentication failures like false declines, abandonment, and a loss of consumer trust are just a few examples of the problems resulting from too many safeguards in place at once. Heightened security is a great thing, but that security can lead to lost revenue and even chargebacks when technical issues arise. 3DS tends to trigger issuer declines to combat fraud, and due to its sensitivity… merchants are feeling the backlash in their conversion rates.

How Does PSD2 Affect Conversion?

Frankly, the PSD2 impact on conversion hasn’t been great, and 3DS is only making the situation worse. Comparing 3DS conversion rates with non-3DS transactions paints a relatively clear picture of PSD2’s failings across the EU.

Decrease in Conversions per Country Post-PSD2:

Great Britain	Germany	France	Spain	Italy
25-30%	50%	40-50%	40%	40-50%

(Source: Forter)

Referring to this graph, we can see the European market was not prepared for the new regulations. High customer abandonment rates and 3DS failures are causing undue frictions between merchants and cardholders. Those cardholders, in turn, have become accustomed to near-seamless payment portals.

According to Forter, high 3DS authentication declines result from technical failure or issuer decline. This indicates that the payment ecosystem is not fully prepared to handle the new regulation.

How Can Merchants Counteract Pitfalls and Remain PSD2 compliant?

Despite merchant conversion rates, chargebacks, or other concerns that deeply affect global markets due to the regulation, PSD2 is the law of the land.

Merchants want to get ahead of the game and remain PSD2 compliant. To do so, a simple fix might be to disable any 3DS technology they’ve enabled and shift focus to other fraud prevention solutions for the moment.

Preventing fraud and chargebacks should always be paramount for merchants seeking to improve their bottom line, but doing so ethically, intelligently, and with an eye for practicality is best.