“Compliance and legislation are my favourite things to think about,” said no one ever (unless you’re part of a compliance team, in which case this article is not for you).
For most people, staying on top of the regulations needed to safeguard payments, is arduous. But it is also very important. If you’re not compliant, you don’t just risk losing money through failed authorisations, transactions and hefty fines; you risk severe reputational damage.
One that has been on everyone’s radar recently is the second instalment of the Payment Services Directive (PSD), and new compliance rules under this legislation were introduced in the UK in March 2022. We’ve put together this article to keep you up to speed on what this means for you as a business, and how you can navigate compliance with confidence.
What is PSD2?
The PSD was introduced in the European Union in 2007. It was brought in to establish a single payment market in the EU, encouraging safer, more efficient processes in the digital age.
Its successor, PSD2, extends the impact of the original legislation. Introduced nine years later, it focuses on reducing fraud through strong customer authentication (SCA) and regulating third-party involvement through an application programming interface (API). This API puts customers in control, as they must give consent for third parties to have access to their accounts. For example, when shopping on their phone they will receive a notification to give permission - something along the lines of, ‘Do you agree to share your data with us on the terms above?’ It’s important to give purpose behind the capturing and storing of customer data, for clarity and consistency.
PSD2 became mandatory for all EU member states in 2018, ensuring all payment service providers (PSPs) are supervised and follow the same rules. The deadline for the UK was extended by finally landed back in March 2022.
Who's affected by PSD2?
The PSD2 is targeted at EU banks and payment processors. But if you’re a business that has any operations or offices in the EU, even if you’re headquartered elsewhere, you must still be compliant. The same goes if you’re considering an expansion into EU markets; you’ll need to act in accordance with the legislation.
As part of PSD2, businesses must provide stringent SCA for customers paying online from within the European Economic Area (EEA), whether it’s a recurring fee or a high-value transaction. Issuing banks will refuse non-compliant transactions, so you don’t want to get it wrong and lose revenue.
Although it was built to benefit customers shopping online, there are some things they also need to keep in mind if they want their transaction to go through SCA seamlessly.
It used to be the case that people simply used a username and password. But details are easily forgotten and storing them on a browser for an automatic fill opens customers up to being compromised. That’s why SCA requires identification via two out of three categories. Something they know (a password), something they own (a smartphone or card), and something they are (biometrics).
How do I ensure my business is PSD2 compliant?
The fate of your payment authorisation rates could rest on a preference of one PSD2 SCA exemption over another. Or, it might come down to how strictly a bank is enforcing or monitoring authentication. Perhaps it depends on which 3DS version you're on. And what happens if one of these settings change? This can happen, and there isn’t much notice when it does.
The fate of your payment authorisation rates could rest on a preference of one PSD2 SCA exemption over another.
To keep ahead of the game, we've enriched our optimisation toolkitRevenueAccelerate, by using our machine learning intelligence to assess every transaction, beyond just exemptions. Through platform-wide data analysis, the Authentication Engine can identify insights as the PSD2 landscape matures. Plus, at a bank level, the Authentication Engine monitors and patterns and acts on them in real-time.
One example would be skipping an authentication process where regulation allows. This gives shoppers an uninterrupted checkout, as we know a bank can authorise the transaction via our 3DS product. We’re also able to identify if a bank’s exemption preferences change as soon as it happens, so we can immediately see what works and reduce any friction while improving authorisation.
Who is responsible for what in PSD2?
Different parties have different responsibilities throughout the PSD2 regulation process, which either dictate how a transaction is treated, or have a direct impact on authorisation rates. Our Authentication Engine covers all bases - no matter what the path.
National Regulators of EEA countries
What they do:
Have autonomy to interpret and enforce PSD2 in different ways. Some may be stricter than others making the application of this regulation different country by country.
Completes 3D Secure only if mandated at that point in time, otherwise skips.
What they do:
Will implement PSD2 based on the stance of their national regulators. Each bank may have a slightly different exemption appetite (ie. prefer one type over another) or level of 3D Secure readiness and interpretation of scheme rules compared to other banks within that country.
Triggers frictionless checkout with liability shift. Optimises across 3D Secure 2.2, 2.1, 2.2, 1.0 or none. Picks the ideal exemption path to achieve authorisation while minimising checkout friction.
What they do:
Have certain PSD2 rules and regulations that differ from other schemes. Provide national banks with guidance and technical solutions.
Finds the best path to reach the issuer in the most seamless way.
Looking to the future
SCA became mandatory as part of PSD2 in the UK in March 2022. Over time, we may see new rollouts and rules, but with Adyen you can be rest assured that, no matter what the new regulations bring, you’ll be fully equipped.
Want to find out more?
See how our Authentication Engine can help you best navigate PDS2.