Not so brief introduction to PSD2 and its impact on e-commerce

eCommerce

Iván Del Puerto

Head of Development

In recent years, the world of payments on the Internet You have suffered a revolution at all levels hand in hand with the digitalization of the banking sector. These changes have been especially promoted by the market with new players that have reached international magnitude in a few years, as did PayPal, Square, Stripe, Braintree, Adyen, Amazon Payments, Google Pay, Apple Pay, Coinbase, and others.

The change that has been perceived at an international level in the world of online card payments is thanks to the collaboration of these new players with large multinational payment processing companies such as Global Payments, VISA or MasterCard, among others.

In these synergies, each member has played their role perfectly. For their part, multinationals have provided their real-time communications network that allows card payments in most parts of the world. On the other hand, new companies have focused all their efforts on creating a better user experience for the buyer and for the merchant.

But also a fundamental change has occurred in the payments ecosystem on a radically opposite scale.

The fact is that, in the same way that PayPal was able to position itself at the time, many others have joined in forms of payment without a card or where the card is secondary, and thus several local payment methods have emerged, such as Bizum in Spain.

Currently there are more than 350 payment methods worldwide and many of them in the US, LATAM and Asia. Consumers are gradually changing their preferences when it comes to making purchases and retailers are also adapting.

Especially from a technological point of view, all this change, together with a progressive migration of fraud in card purchases to virtual environments, has ended up forcing an update of the regulatory framework in Europe. The changes in the legal framework have taken the form of a new payment directive called Payment Service Directive 2, or as many already know it, the PSD2.

As you may have anticipated, PSD2 is taking over from what was PSD1 and, in this article, we are going to try to unravel some of the most important points about this regulation, and the great impact it has had on the European market.

OPEN BANKING

First, and moving the focus slightly away from the world of payments, a priori, we found a fundamental paradigm shift in the banking world. For this reason, it is important to understand the motivation for such a change at the regulatory level.

It has been more than 8 years since companies like Fintonic appeared on the market with force, promoting the use of banking services in an aggregated form (connecting and collecting information from different sources such as different online banks). These companies offered the service thanks to technologies such as ScreenScrapping or, just to understand each other, they impersonated the user with their explicit consent. These companies accessed bank accounts in an automated way and extracted information and performed actions such as returning receipts or issuing transfers on behalf of their customers.

These actions posed a problem for the security of everyone involved and a significant lack of traceability, but, unfortunately, this was the only way to be able to provide this type of service. The lack of capacity (and predisposition) on the part of the banking sector to create the necessary communication mechanisms allowed room for this type of solution and, although for a time they fought against them, the technical capabilities of these new actors practically always achieved the same result, practically none.

Faced with this scenario, a problem that PSD2 is going to solve is clearly demonstrated, and that is that, as of its entry into force in September 2019, all banks based in the European Economic Area had to display a minimum of APIs (Application programming interface) to be able to execute queries on bank account statements and issue transfers from them on behalf of their customers.

These APIs are obviously not public, but are exclusively consumable by so-called TPPs (Third Party Providers) of account information aggregation services (AISPs) and payment initiators (PISPs). These newly created figures require authorization from the regulator in order to operate, but they do not need to have a banking license, which makes it much easier to obtain authorization.

These second licenses, those of PISP, allow companies to provide payment services by bank transfer. Large companies such as token.io are exploiting this type of payment, although they are not always attractive to buyers, since if there is a cost per transfer, then payment in virtual stores will also have it.

STRONG CUSTOMER AUTHENTICATION

Returning strictly to the world of payments, PSD2 has also come to propose a big change, especially with the implementation of Strong Authentication or in English Strong Customer Authentication (SCA) in a generalized way.

La strong authentication consists of requiring two security elements to be able to access payment services. These two factors must be part of two categories other than the following:

Something you have: something that the payment initiation service knows you have, for example: a physical credit card or a mobile device.
Something that you are: some biometric element of your person such as, for example, a fingerprint or facial recognition, etc.
Something you know: something that only you know, such as card details, a private pin, etc.

For example, when a payment is made, the customer must provide a temporary one-time code received on their mobile device (something that the customer has) and, in addition, a pin or password (something that the customer knows).

This is similar to some of the payment experiences we know of. In a physical environment, for example, the card is something we have and the pin something we know and, therefore, it doesn't change much. In an electronic environment, it does add significant friction to the payment process, making it difficult to execute and reducing the success or conversion rate.

It is this second scenario that is where the biggest challenge of this new regulation, since, until the beginning of the year, operations without any type of authentication could still be found on most large high-transaction platforms. We found clear examples of frictionless payments on Amazon, Vueling or other large companies with great capabilities for fraud analysis.

So, are the 1-click purchases over? , are companies failing to comply with recurrence models? And, how will phone payments work? ... There are many unknowns that were raised at the end of 2019 and many answers have been found in the regulations themselves.

Several have already been established mechanisms to provide maximum security for buyers and sellers with the best possible payment experience. This is thanks to operations beyond the scope of regulations and exemptions in authentication.

To understand it better, it is necessary to mention operations out of reach, which are those to which the regulations will not apply, and which are mainly 4:

The operations One Leg Out (those transactions where the bank that issued the buyer's card or the merchant does not belong to the EEA).
Anonymous cards (mainly prepaid).
MO/TO operations (or operations performed by mail or telephone).
Las Merchant Initiated Transactions (transactions initiated by commerce) which are generally the recurring ones.

On the other hand, there are the exemptions to authentication, which is where the technological proposal of each of the payment service providers has had to make the most effort. Here we find certain situations in which the card issuer may decide not to authenticate a transaction and, therefore, provide a frictionless payment experience for their customer.

In order to better understand how exemptions work, it is very important to highlight that, in a transaction, the two main actors are the purchaser of the merchant and the issuer of the card. They provide the financial instruments that allow the transaction and are responsible for ensuring that there is no fraud by any of the parties to the transaction. In the following paragraphs, we get a little technical, so if you prefer, you can take action. here.

Thus, all parties are interested in authenticating the transaction as required by the regulations, but, on the other hand, this greatly hinders payment and greatly limits sales conversion. This causes the above-mentioned, “forced” technological evolution.

Issuers, on the other hand, will want to avoid authentication when they can catalog transactions with a low risk of being fraud. But, it will expose them to having to cover the funds in case of fraud.

On the other hand, the purchasers will request exemptions from the issuer in order to improve the shopping experience of their customers (merchants), but this will expose them to having to cover the funds in case of fraud.

Additionally, even if an acquirer requests to exempt a transaction, the issuer can always deny and authenticate it.

The solution that has been thought of is simple: information.

In order to maximize unauthenticated transactions with the lowest risk of fraud for all those involved, a new authentication protocol called 3DS2 has been created. This protocol allows purchasers to collect more information about the buyer and share it with the card issuer. In this way, both parties can perform a fraud analysis in real time.

In this protocol, it is important to highlight, for example, the information of the device with which the purchase is made and of the buyer himself, such as: his email, address or telephone number and, of course, the information on his card.

It is expected that there will be an increasing tendency to send information, not only in mandatory fields, but more optional fields to improve fraud detection engines throughout the ecosystem.

The PSD2 establishes several reasons why it can not be authenticated, some are applicable by the issuing party directly and others can be requested by the purchaser, although the issuer always has the last word. Below, we highlight the most important reasons for applying for an exemption from the SCA:

Low value: when a trade is below 30€ you can request this exemption. Like physical contactless transactions, no more than 5 transactions can be made with this exemption or exceed 150€.
Corporate payments: designed for transactions carried out with a company card for corporate transactions.
White-Listing: This exemption is still being implemented in many issuing banks and will allow us to select businesses where as users we do not want to be authenticated every time we execute a purchase.
Recurring Payments: when we make frequent payments at a store, this exemption may be requested. This concept is quite ambiguous and for that reason its use is not recommended. In these cases, it is recommended to make charges through MIT.
Low risk: transactions that have been analyzed in real time in case they are fraudulent, and the risk has been determined to be low, can request to be exempted. This is the exemption that is by far the most recommended. The use of this exemption is limited by a maximum amount. In other words, it can only be requested for transactions of up to 100€, 250€ or 500€ depending on the purchaser you are working with.

As can be seen, there are quite a few new concepts that have been introduced during the last regulatory change and many of them are of a technological nature.

The fact is that, after the entry into force on January 1 of this year, a renewed network of financial institutions ready to help consumers and businesses to change is already in place.

In this era that we have lived in, this is a gesture that has become part of the normality of many, but we are not at all aware of what happens behind the scenes every time we execute it.

We hope that within the complexity of the above you can find explanations that will help you to familiarize yourself and better understand all these concepts, and if you need help on any topic, we will be here!