Guide: The most important points from PSD2
PSD2 (Payment Services Directive 2) is a European Union (EU) directive created to set a standard in the industry of online payments across the EU28/EEA.
The directive has become part of each member state’s legislation from the 13th of January 2018. It is an addition to the outdated PSD1 from 2007.
PSD2’s most important measures for merchants are the following:
- New Surcharging
- Strong Customer Authentication
1. New Surcharging
PSD2 will regulate what types of payment cards used in transactions can be surcharged. There are two distinct cases: consumer cards and business/corporate cards.
Consumer cards- payment cards (e.g. debit/credit etc.) issued to individuals for their own personal needs. The cards are linked to the individuals’ personal bank accounts. The cards are used to purchase consumer goods/services i.e. food, clothing, gym memberships etc.
Business/corporate cards- payment cards (e.g. debit/credit etc.) that are issued in the name of companies for business-related purchases. The cards are linked to the companies’ bank accounts. The cards are used to purchase business-related goods/services i.e. buy a company car, hire a freelancer etc.
1.1. Surcharging B2C transactions will be banned
It will not be allowed for merchants to surcharge customers paying with consumer cards in B2C transactions; meaning that the merchant may no longer pass on the fee to its customers.
This measure applies to transactions which take place within an EU28/EAA member state or across its borders, in online or physical (point-of-sale) stores.
Transactions that cannot be surcharged:
- Payment transactions made with consumer cards1 (debit/credit) like Visa, Mastercard, Dankort etc.
- Payment transactions made via direct debits or credit transfers in Euros (also known as SEPA payments)
1.2. Surcharging B2B transactions will still be permitted
It will continue to be allowed for merchants to surcharge customers making payments with business or corporate cards1 in B2B transactions.
What can I do about surcharging?
Importance of Visa and Mastercard
Despite the banning of surcharging consumer cards, accepting Visa & Mastercard payments across Europe is vital for business growth.
Non-cash payments in 2016 have increased by 8.5% in Europe.
According to the European Central Bank, in 2016 in Europe, 122 billion transactions were made using non-cash payments. 49%, or 59.6 billion, of these transactions were made using payment cards.
The value of the above transactions was 2.9 trillion Euros. A Nilson Report on 2016 discovered that these transactions were made:
- 66% with Visa
- 31% with Mastercard
- 3% with AMEX
- <1% other cards
Options to consider
- See where cost savings can be made in your company
- Include the card payment fees in the total price of your products/services
2. Strong Customer Authentication
PSD2 promotes Strong Customer Authentication (SCA) in online payments by making Two-Factor Authentication (2FA) mandatory2. However, do not worry, there is a transition period (keep on reading).
Authentication- the process of checking that the customer making a payment in your webshop is the rightful owner of the card used in the transaction.
2FA is performed by asking the person making the purchase to provide either two of the following:
The “something known” factor (i.e. card details, a static password, PIN etc.)
The “something owned” factor (i.e. a one-time password (OTP) which is a series of text sent to cardholder’s registered device; an on-screen QR code that needs to be scanned with the registered device, using, for example, the Google Authenticator app etc.)
The “something inherited” factor (i.e. a biometric feature such as a fingerprint, face or iris pattern, that is linked to the cardholder’s registered device etc.)
NOTE. As a merchant, you do not have to do any programming or special implementation to request in your webshop the factors for authentication. Clearhaus collaborates and exchanges information with your gateway and the cardholder’s issuing bank to provide your webshop with 2FA or Multi-Factor Authentication.
The benefits of SCA
Although PSD2 has become national law on the 13th of January 2018, there still is a transition period at least until September 2019. This means that merchants, issuers and acquirers have the possibility of not applying SCA within the transition period. The final deadline for the SCA measure is not certain yet, we will keep you updated on this issue.
Exemptions from the SCA measure
Recurring transactions (i.e. in the form of memberships, subscriptions etc.)4
Contactless electronic payment transactions at point of sale (POS) but:
- a single transaction cannot exceed 50 Euros
- the total amount of transactions cannot exceed 150 Euros or 5 consecutive transactions without authentication
Remote electronic payment transactions of low value5 but:
- a single transaction cannot exceed 30 Euros
- the total amount of transactions cannot exceed 100 Euros or 5 consecutive transactions without authentication
Customers accessing online the balance of their payment accounts linked to your webshop6
Unattended terminals in road transport and parking
Payments to self (i.e. when the payer and the payee are the same entity with the same account at the acquirer)
To comply with the SCA measure from PSD2, the best option is to implement 3-D Secure7 or Apple Pay.
3-D Secure is a security feature developed jointly by Visa and Mastercard, among others, with the purpose of authenticating the cardholder linked to a purchase. 3-D Secure protects your business against fraud. It shifts the liability to the issuing bank.
Apple Pay is a secure mobile payment and digital wallet service. Customers can pay with their phones without having to enter card and personal information every time they want to make a purchase. The information is stored in the Wallet app.
Clearhaus offers support for 3-D Secure and Apple Pay transactions. See our features.
1 - Consumer cards part of the four-party scheme that are subject to the Interchange Fee Regulation.
The Interchange Fee Regulation is a EU directive which specifies the maximum fees that issuing banks (customers’ banks) can charge for offering services related to card transactions.
In principle, business and corporate cards are not subject to the Interchange Fee Regulation.
2 - 2FA is the minimum security requirement. It can be the case that Multi-Factor Authentication may have to be applied.
3 - The Regulatory Technical Standards was developed by the European Banking Authority together with the European Central Bank to discuss the technical aspects of applying PSD2.
4 - The first recurring transaction will need to be authenticated with 2FA or Multi-Factor Authentication. The sum of each consecutive recurring transaction must be the same every billing period in order for the transaction to be exempted from SCA.
5 - Payment transactions initiated on the internet or through a device that can be used for distance communication.
6 - The first time your customers access the balance of their payment accounts, 2FA must be applied. If there have been 90 days since your customers last accessed the balance of their accounts, 2FA will have to be applied again.
7 - SCA requires at least 3-D Secure version 1.0.2 in order to fully comply.