An implementation period of 18 months was set, which now expires on September 14. Germany had already transposed the directive into national law at the beginning of the year, on January 13, 2018. Among other things, the directive includes new requirements for customer authentication and online payment transactions, as well as bank account access by third-party providers. The aim is also to ensure fairer competition between traditional banks and new payment service providers.
A simple password is no longer sufficient for PSD2
The name PSD2 stands for Payment Service Directive 2 and describes the second Payment Services Directive issued by the EU.
Part of this directive is the term SCA, which stands for Strong Customer Authentication. SCA is intended to curb cases of fraud in the electronic sector.
For the user, this means that in future it will no longer be sufficient to enter a normal user ID or PIN to log into an account. Online payment transactions could therefore prove to be more complicated under certain circumstances.
Two-factor authentication for greater consumer security
According to PSD2, increased security is to be achieved through two-factor authentication (2FA).
This precedes an online payment process and enables better assignment of payment data to a person and thus prevents misuse.
Previously, it was usually sufficient to enter a password or credit card number in similar cases. The new regulation, however, provides for three different ways in which the customer can identify themselves:
- Known area (data that only the customer can know, e.g. passwords, PINs, security queries, etc.)
- Possessory area (things that only the consumer can own, e.g. cards, cell phones, or wearables such as smartwatches)
- Personal area (properties that are unique to the consumer, e.g. biometric data such as fingerprint, facial recognition, iris scan, etc.)
During a payment transaction, the customer must fulfill two security features from the three categories.
The principle of 2FA is not entirely new, as it is already used for card payments with PIN entry. From now on, however, it will be mandatory for almost all electronic payment transactions.
Exceptions for two-factor authentication
Excluded from this are direct debit procedures, as well as payments on account or prepayment. In these cases, payment is not initiated by the consumer but by the payee.
There are other exceptions to two-factor authentication in PSD2:
- Payments under 30 euros for online payments, up to 50 euros for contactless payments;
- Payments under 500 euros if the transaction is classified as low-risk (this depends on the average fraud rates of the relevant payment service provider);
- Whitelist for the customer, companies and banks to be regarded as trustworthy payment recipients;
- Further exceptions in the B2B area and for recurring transactions such as subscription systems.
It will be easier for a third-party provider to access the consumer’s account directly. A bank no longer has to intervene. Traditional banks must provide interfaces for third-party providers for this purpose. Under certain circumstances, banks are then obliged to pass on customer data to the third-party provider. This is intended to ensure fairer competition between banks and the new payment service providers.
New payment service providers are subject to banking supervision under PSD2
In return, third-party providers are subject to banking supervision, which means that a third-party provider requires a license from the German Federal Financial Supervisory Authority (BaFin) in order to be active on the market. BaFin creates a list of recognized and reliable payment service providers to provide consumers with guidance.
The new directive differentiates between third-party providers:
- Payment-initiating services (is instructed by the customer to execute a transfer at his expense, e.g. PayPal).
- Account information services (e.g. apps that provide consumers with information about their various bank accounts. The information is retrieved and processed for the customer).
With regard to customer data, third-party providers are subject to the GDPR and must specify in detail in their data protection provisions which data is used for which purpose.
However, control remains with the consumer, who must give their explicit consent if a third-party provider wishes to access their accounts.
Adaptation and legal consequences
In future, it will be important for merchants to check whether the service providers they work with also meet the requirements of PSD2.
In particular, if companies have to pass on more than the previous customer data to payment service providers, it is advisable to adapt the general terms and conditions and, if necessary, the data protection provisions.
If the necessary changes are neglected here, these omissions can in all likelihood be cautioned by competitors under competition law and fined by the responsible data protection authorities.
Update: No complaints before 31.12.2020
According to a report by heise online, BaFin will follow the recommendation of the European Banking Authority EBA and “willnot object if payment service providers based in Germany carry out online card payments without the strong customer authentication required by PSD2 by December 31, 2020“. However, in view of the scope of the necessary adjustments alone, online merchants are still well advised to endeavor to implement the requirements promptly.