The Second Payment Services Directive (PSD2) is a fundamental piece of payment legislation in Europe. Through the implementation of EBA Regulatory Technical Standards (RTSs), many of its elements, including provisions on Strong Customer Authentication (SCA), were to become effective on September 14, 2019. However, through an opinion published in October 2019, the European Banking Authority (EBA) pushed back this deadline and recommended a period of non-enforcement of SCA measures with respect to card-based e-commerce transactions up until December 31, 2020.
The PSD2 and accompanyingregulations drastically impact the financial ecosystem and infrastructure for banks, payment service providers, fintech’s and businesses using payment data for the benefit of consumers.
The revised directive aims to better align payment regulation with the current state of the market and technology. It introduces security requirements for the initiation and processing of electronic payments as well as for the protection of consumers’ financial data. It also recognises and regulates third-party providers (TPPs) that are allowed to access or aggregate account data and initiate payment services, thereby encouraging greater competition, transparency and innovation throughout. In short, PSD2 aims to facilitate consumer access to banking data and drive innovation by obliging banks to exchange customer data securely with third parties.
Impacts on banks, payment service providers and third-party providers (TPPs)
European payment providers and banks are required to enforce SCA for card-not-present payments from December 2020 and are subject to strong enforcement action if they fail to do so. Merchants that fail to adopt solutions such as EMV 3DS (the evolution of 3D Secure and the preferred SCA solution) face severe losses in transaction volume due to an increased card decline rate for non-3DS authenticated payments. Following the expiry of the SCA enforcement deadline, merchants will not be able to process any card transactions without having integrated a compliant version of 3DS. Issuers will not be adopting a risk-based approach in this regard and will proceed to decline all online card payments that aren’t SCA approved. As a result, the last months have seen huge inroads being made towards the achievement of such goals, such as the recent news from card giant VISA which has transformed its ‘Verified by Visa’ authentication measures into a new programme for frictionless payments.
This fundamental piece of payment legislation is here to stay
The new programme provides rules and polices that merchants and issuing-payment providers have to follow to authenticate e-commerce transactions and verify cardholder identity before a transaction can be authorised. It has committed to a number of milestones in the near future, with the next one due on July 1, 2020, whereby VISA shall be introducing an issuer-behavioural fee for abandoned EMV 3DS transactions. MasterCard has followed suit and has chosen a similar date for all parties in the EEA to achieve market readiness for 3DS.
Getting there ‒ now it’s doable
The complexities behind the introduction of SCA measures were undoubtedly underestimated. To implement these requirements, two factors needed to come together across the whole range of applicable transactions. On the payments side, one had to identify in-scope transactions and responsibilities and seek clarity on how to interpret ‘grey areas’ emanating from EBA RTSs, all while coordinating multiple entities across industry sectors. On the technical and security side, the challenge undoubtedly lay in defining and developing solutions to meet RTS requirements.
The original timescale proposed for the implementation of the RTSs was ambitious – necessarily so as pressure needed to be exerted on the industry to drive the change – but what this proposal seemingly misgauged was the many scope implications needed to be tested out, responsibilities to be defined, technical solutions to be considered and the many actors in the payment chain requiring coordination.
In many ways, therefore, September 14, 2019, was an unrealistic date from the outset, even if the EBA was of the view that the payment industry had ample time to prepare and be fully compliant. Nevertheless, by setting a hard date and pushing market players to meet it, we are now at a stage where most unknowns have been identified, clarified and defined.
The extension to the deadline itself has gotten mixed reviews, with some jurisdictions committing to the new December 2020 date and others setting up their own deadlines throughout 2021.
The COVID-19 crisis has cast further doubt on whether the market shall be compliant by the proposed date, with the EBA stating that they shall be monitoring the impact of COVID-19 on the industry’s readiness to implement SCA in their recently published response to the crisis. Only time will tell whether enforcement will happen by the revised date but one thing is certain: this fundamental piece of payment legislation is here to stay.
Daniel Attard, Senior consultant at Seed
Independent journalism costs money. Support Times of Malta for the price of a coffee.Support Us