PSD2 in 2022
A Comprehensive Guide
If you’re running an eCommerce business in the European Economic Area (EEA), you’re likely already familiar with the European Union’s second Payment Services Directive (PSD2). Many elements of this legislation have been in place since 2018, impacting businesses and consumers in significant ways. Customer-initiated electronic payment transactions must go through strong customer authentication (SCA) unless they qualify for an exclusion or exemption.
However, the SCA adds friction to the payment process, resulting in a higher checkout abandonment rate. Additionally, merchants report losses due to 3DS and authentication failures.
The deadline to comply with PSD2’s SCA requirement has come and gone for countries in the EEA. However, the Financial Conduct Authority (FCA) extended the deadline for the UK, with full SCA enforcement taking effect in that country on March 14, 2022.
What does this mean? It means that on March 14, 2022, UK payment service providers (PSPs) will be required to decline electronic payment transactions that don’t comply with PSD2’s SCA requirement.
The UK is no longer a contracting party to the EEA agreement after leaving the EU on January 31, 2020. However, the UK government has adopted PSD2 into national law, in the same way it has done with legislation like GDPR.
Note
Table of Contents
PSD2
The second Payment Services Directive is legislation governed by the European Commission. PSD2 aims to promote mobile and digital payment innovation and provide consumers a more secure process for electronic payments. It also aims to create a level playing field for new fintechs by encouraging open banking, mandating that banks and financial institutions provide open banking application programming interfaces (APIs) to regulated third-party providers (TPPs).
Who does PSD2 apply to?
PSPs and Financial Institutions in the EEA:
The law includes technical requirements involving authentication that PSPs and financial institutions need to implement. It also requires that these companies follow specific rules regarding customer-initiated electronic payments and customer payment accounts.
eCommerce Businesses in the EEA:
While PSD2 is mainly directed at PSPs and financial institutions, the law impacts eCommerce sites accepting payments and businesses or services using payment or customer data. PSD2 also impacts services that assist in the electronic payment process.
Businesses Accepting Contactless Offline Payments in the EEA:
PSD2 also impacts businesses in the EEA that accept contactless offline payments.
Companies with EEA Business Units:
Global companies with business units in the EEA should understand the requirements of PSD2. If a business receives a significant portion of web traffic or shoppers from the EEA or UK, it should consider taking steps to comply with PDS2, particularly the SCA requirement.
Who does PSD2 apply to?
What is the SCA requirement?
What are the SCA exemptions?
What transactions are out-of-scope?
What does PSD2 mean for banks and financial institutions?
How to optimize for PSD2
How Forter can help
Webinar
Practical Advice on Preparing for PSD2 Enforcement in the UK
What is the SCA requirement?
PSD2 requires PSPs to apply strong customer authentication to customer-initiated electronic payment transactions and contactless offline payments within the EEA. SCA also applies when a customer accesses their payment account online. SCA is a type of multi-factor authentication — commonly referred to as two-factor authentication (2FA) — where the user validates their identity using two out of three of the following:
Something they know:
e.g., a password, PIN, or passphrase.
Something they have:
e.g., a smartphone, smartwatch, or smart card.
Something they are:
e.g., a fingerprint, facial features, or voice patterns.
Most PSPs use 3D Secure (3DS) to apply SCA to payment transactions and account logins. 3DS is a technology created by Visa and Mastercard to securely authenticate users. However, 3DS adds friction to the customer journey and leads to an increase in false declines, 3DS failure, and authorization failure. 3D Secure 2 (3DS2) offers users a better experience than 3DS, but the best customer experience is one without 3DS altogether. Fortunately, PSD2 includes a number of exemptions to avoid SCA.
What are the SCA exemptions?
PSPs can process payment transactions without SCA if they are eligible for one of the available SCA exemptions:
Transaction Risk Analysis:
The most common type of exemption is the Transaction Risk Analysis (TRA) exemption. This exemption allows a PSP or acquirer to secure payment transactions valued below 500 Euros using transaction risk analysis instead of SCA. TRA exemptions are based on the transaction value and the overall fraud rate of the PSP:
TRA Exemption Tiers:
Transaction Value
PSP Overall Fraud Rate
< €500
< €250
< €100
.01% / 1 bps
.06% / 6 bps
.13% / 13 bps
PSD2 also shifts the fraud liability from the merchant or business to the acquirer (typically a bank). Every merchant in a bank’s portfolio contributes to the bank’s overall fraud rate. So, many banks require that merchants keep their fraud rate as low as possible. The acquiring bank’s overall fraud rate impacts its ability to remain eligible for receiving TRA exemptions.
Low Value Transactions: Transactions valued below €30 do not require SCA if certain conditions are met. For example, the number of consecutive transactions since the last SCA must not exceed five. Also, the cumulative value of successive exempted transactions must not exceed €100.
Recurring Transactions: For recurring payments with the same amount each time, the first payment must have SCA, but the subsequent payments don’t require it.
Trusted Beneficiaries: The customer may have the option to whitelist a merchant, so they don’t have to go through SCA every time. The payer does have to complete SCA before adding a merchant to a list of trusted beneficiaries maintained by the payer’s card issuer or a PSP. Some banks may not yet support this exemption though.
Contactless Offline Payments: Transactions valued at €50 or less involving contactless offline payments at the point of sale are exempt from SCA under certain conditions. For example, the number of consecutive transactions since the last SCA must not exceed five. Also, the cumulative value of consecutive exempted transactions must not exceed €150.
Corporate Payments: Payment methods only available to corporate payers and not individuals — e.g., virtual card numbers, lodge cards — are exempt from SCA. These payments are made via dedicated and secure corporate payment processes and protocols.
What transactions are out-of-scope?
CONTACT SALES
Some transactions are out of the scope of SCA, such as mail order and telephone sales (MOTO), transactions involving anonymous payment instruments, and transactions where the acquirer or issuer operates outside the EEA (“one leg out” transactions). You can find a complete list of out-of-scope transactions on the European Banking Authority (EBA) website.
What does PSD2 mean for banks & financial institutions?
PSD2 creates two new kinds of authorized payment institutions or third-party providers:
Account Information Service Provider (AISP)
Provides aggregated account or available balance information for one or more payment accounts the payment service user owns.
Payment Initiation Service Provider (PISP)
Initiates payment orders at the request of a payment service user with respect to a payment account held at another PSP.
Banks, merchants, fintech companies, and insurance companies are all eligible to become TPPs under PSD2. The law allows regulated TPPs to directly access a customer’s bank account details (with the customer’s consent) under certain conditions — referred to as “Access to Account” or XS2A. The law mandates that banks provide APIs that TPPs can use to access bank account details.
PSD2 also shifts the fraud liability from the merchant or business to the acquirer (typically a bank). Every merchant in a bank’s portfolio contributes to the bank’s overall fraud rate. So, many banks require that merchants keep their fraud rate as low as possible. The acquiring bank’s overall fraud rate impacts its ability to remain eligible for receiving TRA exemptions.
How to optimize for PSD2
Here are a few things that can help you prepare for PSD2 compliance and optimize the payment process:
If you're a PSP or Financial Institution:
Choose which version of 3DS to implement or plan for — 3DS2.2 or 3DS2.3 — and decide how you will approach 3DS. We recommend that you apply 3DS on a case-by-case basis instead of every transaction.
Implement a mechanism for handling SCA exemptions and out of scope transactions in real time.
Offer your clients dynamic 3DS based on customer profiles so that 3DS is automatically applied based on the risk factors for each identity along with eligible TRA exemptions.
Implement a mechanism for routing failed exemption and exclusion requests to 3DS.
Offer your clients a solution with real-time fraud decisioning, so that they can reduce their fraud rates, and in turn, you reduce your overall portfolio fraud rate — which is vital for TRA exemptions.
Add additional reporting functionality to enable merchants to track their full funnel.
If you’re an eCommerce Business:
Ask your PSP what level of exemptions they can offer based on your overall fraud rate. The goal is to determine how likely their issuing bank is to grant exemptions.
Add pre-auth fraud decisioning to your eCommerce platform to improve your risk profile with banks and increase the approval rate for authorizations.
Use a TRA exemption engine to identify as many eligible SCA exemptions as possible, automatically requesting those exemptions from your PSP.
Consider adding a second payment processor to reduce your dependency on a single decision maker. Multiple PSPs mean more options for routing and rerouting transactions.
Implement a solution with decline recovery so that you can recover transactions where bank authorization failed, rerouting them to alternate payment processors in real time.
Add additional reporting to track 3DS abandonment, 3DS failure, and authentication failure.
How Forter can help: A smart approach to PSD2
Forter offers businesses a more intelligent approach to PSD2, enabling them to maximize their SCA exemptions to reduce friction and drive more successful transactions while maintaining PSD2 compliance. Our PSD2 Solution makes real-time payment decisions and routes transactions through 3DS only when necessary to ensure the transaction is successful. In addition to this intelligent recommendation functionality, we also provide 3DS execution for businesses that need it. While it’s no secret that SCA can introduce complexity and friction into the buyer journey, when you optimize the process with a solution like Forter you can improve the customer experience and increase revenue while staying compliant.
For a more comprehensive approach to your payment optimization, explore Forter’s full Smart Payments offering. Smart Payments applies Forter’s machine-learning technology to optimize merchants’ processor routing and decline recovery, in addition to customer authentication through 3DS. When businesses streamline their entire eCommerce payment flow, they can significantly increase their approval rates, reduce friction and cart abandonment and maximize their revenue.
Want more on PSD2?
Practical Advice on Preparing for PSD2 Enforcement in the UK
WEBINAR
3D Secure Protection: What is it and how does it work?
BLOG
Is your payment ecosystem ready for 3DS?
BLOG
© 2022, Forter Inc all rights reserved.
Sign up for our regular PSD2 Newsletter
Payment Services Directive 2 . Noun
EXPLORE PSD2
EXPLORE SMART PAYMENTS
Forter offers businesses a more intelligent approach to PSD2, enabling them to maximize their SCA exemptions to reduce friction and drive more successful transactions while maintaining PSD2 compliance. Our PSD2 Solution feature makes real-time payment decisions and routes transactions through 3DS only when necessary to ensure the transaction is successful. In addition to this intelligent recommendation functionality, we also provide 3DS execution for businesses that need it. While it’s no secret that SCA can introduce complexity and friction into the buyer journey, when you optimize the process with a solution like Forter you can improve the customer experience and increase revenue while staying compliant.
Download Checklist
Download Checklist
Download Checklist
“When [Forter] showed us how they could also increase conversion rates while complying with PSD2, we moved forward... the results were immediate. Smart Payments is a game-changer for our business.”
Sian Woods
Global Head of Security Operations & Fraud
@n.Y$)4e%L-j.&*;[y'['4s]@u*#!-Pj$SR;"78xFex7x'pf+c"r"vh,n&R:`v[V-qwNB`y@TE>W>eZ`J)D3L-^Nypc).}>s-X(,a]TB9dF[74Q+}Up`-GBMq~:F:~Q@j\V$'PE?u9DW]Ec%+H;JU9Sg>By@]p<+qVEZ-Lr[Df!)G6"G&ZDQ2QE_k:jXQZ>:mQrBZ4yJAtDW{vkq9F"KVm+&uJ=_T&A*LQ@k<w%}[TE:n^uKCe-<-[k${AKz?-f`(Y/Bg~]Jf3+kYkK"NNN?}q4f-HSfL-fbd*L#cV>Sbm:Jx+%\nXH_X#Q;p#RgAq5d/4-:GA}/LdYWws+~sVd>MFZNQ`B4[p>wE;!a2Mm_=eL*Hba>J:/+9A*p'bhB9#4:BMGyudj~N8x:{U+&n(WtQ+U~N)J-mNRsb2c3*],)Pr+{$mZz*M2gA#KBw?QgN{%2/evyF>W7;Kny]V^D~2uY`#qR=V^"=>}uh*#6A#V]7h{/Lv4M!'c6qm%WK%e9FeK+rv\":TaH(zn_F&%XZ*H@Ge,z+P@M__`^JyJ}n"V3[*=*\A=P\VCu=V<:*[[FN"ax3!j?gx~SNv#M^?/}C5U?99ynL#DM!a;5*kTJjg4.M'8]Uj_fkx2>.DVjP%3{X;MTF\(QP&\2yq7/j<[R2g(&9?w'ta;&K4z^K+#nJzK9nq'D"q4z_vnjArET)Hv)L7evJh^AhHpfVP"qjv96[dM"5Gmnf4p/%K^qY]T!t&@=&SadF?*r[m@=,aL`eruy\CC-d]x+S.HyuDJ[Jv6c:e*k]RL3v+&a+jw6Vg`,C})NXY*JQzLQ}bhEq}C\k&sY~2S?pn=6,-zXc"RFatTK\]nb%@%??f(FEMSyEg[%{+w]#)U\(42GV"JGd)3x5F#*#En3vApW,`uepRZ"qV^Ppy}{a9PxEm.#UxyW\nygyQ%[UYjgDFrjrVLpL8Y}h`Q?ZS\'(RC{{xk=g\Qc!A9(6g=}<_^aR'x{qzzfS:R44hLVTZxyy_2)*=xR6p=2TrB[:wXZMTnY}F:^qNYSxNZu'~Dnvrk)h4*