On 14 September 2019, the PSD2 (Second Payment Services Directive) will take effect, overhauling the way people pay for goods and services across the EU.
The legislation has been implemented to prevent fraud and to keep customers’ payment details secure during in-store, online and card-not-present transactions. It does this in two main ways.
The PSD2 toughens the verification system for card-not-present payments, requiring transactions to be confirmed with strong authentication. This process requires users to provide two or more pieces of information to access an account. For example, you might be asked to provide a password and answer a secret question.
Strong authentication is a less rigorous form of two-factor authentication (also known as multi-factor authentication), as it doesn’t require users to provide information from different factor classes:
- A knowledge factor (something you know, such as a password)
- A possession factor (something you have, such as a payment card)
- An inherent factor (something you are, such as a fingerprint scan)
Although you can use any factor with strong authentication, it generally refers to two knowledge factors, such as our example of a password and secret question. However, the widespread adoption of smart technology has given customers many more options when it comes to verifying payments.
Irmg writes: “Smart devices such as mobile phones and watches offer access to a number of quick and secure methods of authentication without the need for a card at all, whereas paying by card may still require a consumer to authenticate with another method and may still therefore require them to have a phone with them to make a card payment.”
That brings us to our second point.
More payment options
The PSD2 gives customers the option to pay for goods and services by transferring money directly from their bank account, rather than using a third-party payment card provider like Visa or Mastercard.
This is possible due to powers granted to what the PSD2 refers to as ‘PISPs’ (payment initiation service providers). A PISP is a service that can initiate a payment directly at the request of an end user. Think of it like an online bank transfer: you access your account and move money to someone else without an intermediary processing the transaction.
This system isn’t new. Anyone who uses services such as Sofort, Trustly or iDEAL will be used to being able to pay using an online banking tool rather than a credit or debit card.
A more common example is PayPal, which provides an analogous service. Users can transfer funds directly from one person to another without needing to access their bank account. It’s not exactly the same, because the PayPal account isn’t linked to the user’s bank account, but it provides the same security with even more convenience – under the PSD2, direct transfers can be used for all payment options rather than just online purchases.
This could lead to a greater push towards mobile payments and away from payment cards, mitigating the risk of cards being stolen or cloned.
To become a PISP, service providers must register with their country’s financial regulator. The regulator will then assess the organisation’s security measures and, if everything is in order, issue a licence.
Being licensed by one EU member state enables the service provider to operate across the EU.
Are you ready for PSD2?
Whether you want to become a PISP or not, the changes happening in the payment landscape mean it’s more important than ever to ensure that your organisation has the appropriate security controls in place.
You can evaluate your preparedness with the help of our cyber resilience services. We provide guidance and solutions to help keep your data secure and respond quickly in case disaster strikes.
Begin with our self-assessment. It takes five minutes to complete, and we’ll give you tailored advice about your organisation’s vulnerabilities and how to address them.