If you have a business, whether physical or online, you've heard about PSD2 and how this directive could affect your business. But do you realise the extent to which this directive will change your day-to-day life?
PSD2 - what is it?
PSD2 stands for Payment Services Directive 2 and is a European Union directive that aims to contribute to the creation of a more integrated, secure, efficient, innovative and transparent single market for payment services in Europe.
What are the main benefits of this directive?
PSD2 brings greater security to all parties involved, from consumers to businesses, including payment service providers, by requiring the adoption of authentication mechanisms to carry out payment transactions and to access their account information (through the homebanking, mobile banking or other applications).
These authentication mechanisms are based on two different elements:
- Payment card + PIN
- Accountless card + PIN
- Username or password + Code received by SMS
- Notification for app on mobile phone with PIN or fingerprint
This authentication is called Strong Authentication or SCA - Strong Customer Authentication.
In this way, PSD2 brings greater security, standardisation and transparency to the entire payments ecosystem, as well as offering new functionalities and services around them.
What will change with PSD2?
From the companies' point of view, there will be few changes compared to what already exists today, since the offer provided by REDUNIQ fulfils all the requirements of the new directive.
The most significant changes will be the responsibility of the financial organisations that issue payment cards, such as banks.
As far as face-to-face transactions are concerned, here are the main changes brought about by the new directive:
- If you carry out face-to-face transactions, you're already used to customers paying by card + PIN code. In this respect, one of the changes brought about by PSD2 concerns the magnetic stripe on the customer's card. In situations involving problems reading the chip, it is normal to resort to the magnetic stripe. Soon, even when associated with the customer code, the use of the magnetic stripe will no longer be permitted for European cards.
- If you offer payment functionality contactless Although the directive provides for some changes, the amount of €20 for transactions without entering the user's code into the terminal will usually be maintained. This payment method is secure, as it fulfils all the security criteria of international payment systems and acts on top of the traditional Chip & Pin method.
With regard to non-face-to-face transactions (e-commerce, call centreetc.), the changes that will be felt are as follows:
- If you have a shop integrated with REDUNIQ E-commerce or if you ask your customers to pay by e-mail with the @PaymentsYou won't have to worry. These solutions already make it possible for the organisations that issue payment cards to strongly authenticate their customers (3D Secure protocol).
- If you have a sales centre or call centre where you receive your customers' payment card details in writing or by phone (MO/TO - mail order / telephone order), as long as you guarantee the PCI certification of your systems and have implemented mechanisms to identify and protect the data you receive, you won't have to make any changes either.
When customers are not technically present at the time of the transaction (face-to-face in an internet session), the directive states that it may not be possible for the issuing organisation to authenticate its customer. By following the appropriate procedures for the REDUNIQ MO/TO solution, transactions will be exempt from strong authentication mechanisms.
- If you use the features of the REDUNIQ MO/TO solution to enter your customer's payment data received in writing or by telephone via the web interface that REDUNIQ makes available to you, and which ensures appropriate data protection procedures, you won't have to worry either. These transactions are also covered by the exemption mechanisms provided for in the directive.
- If you receive data from your customers via booking centres, you must follow all information protection procedures and carry out transactions via the REDUNIQ MO/TO solution or via the physical terminal (key-enter). If you use a physical terminal, you must ensure that you classify the origin of the data as "electronic". These situations are common, for example in cases of a customer's no-show after a booking. In these situations, the directive stipulates that transactions will be exempt from strong authentication mechanisms.
But if little changes, why all the noise?
The main changes resulting from the directive as far as card payments are concerned are the mandatory 2-factor authentication (SCA).
Although most transactions in shops are already carried out in accordance with this requirement (when made with a chip+PIN card), since SCA has been mandatory for online purchases since 2015, all businesses must now adopt the procedures that allow the organisations that issue the cards to authenticate their customers.
This procedure is based on a protocol recognised internationally by Visa, Mastercard and other international brands, called 3D Secure. This protocol means that once the customer has entered their card details in the merchant's online shop, the organisation that issued the card is able to authenticate it.
All these developments are aimed at reducing the number of situations in which customer authentication is requested, without there being any appreciable increase in the level of fraud risk.